Hello folks. I've been following this thread with great interest over the past several days, because I have a customer who is in this predicament (I run a local computer service in my town).

I was ecstatic to see a fix, as the people are very upset over the loss of their data. Business documents and spreadsheets, resumes and kids' school documents, thousands of family photos etc.

However, I no longer have the PC with me, I finally had to return it. I did, however, retain a copy of their data but evidently some encryption keys are needed. I recreated the directory structure in a vmware virtual machine and restored the cdd and flr directories and their documents tree and I'm just getting the "Unable to find the first key. PC not infected".

I sure hope that these keys are found on the PC when the program is run there. I instructed them not to delete anything, just in case.

I did not find the trojan that caused this on their PC. I found and removed some common malware, but nothing that would cause this. I kept it for days, and in my opinion the system is clean of any active malware. I can usually tell when a system is jacked. It's not exhibiting any suspicious behaviour, all scans (Avira Antvir, Nod32, Kaspersky, Malwarebytes, Superantispyware, Spybot S&D, A Squared etc.) come up clean now. No sinister root kit activities. I did my usual manual hunting and poking too both on and off system. I spent an insane amount of time on this, but I really wanted to find the culprit and more importantly, a solution.

I think this was some sort of "hit and run" trojan. Did its dirty work, and then buggered off. I found evidence in their temporary internet files of a possible route for this catastrophe, but I can't be sure. (I tried to download the malware executable the malicious javascript was pointing to but the server wasn't responding)

I'll report back if I have any new observations.