Main key for encryption is stored under HKLM\Software\Fcd.
If you have that key in the registry - don't touch it.
If not - you can try to restore them from backups (if you have them), but make sure you change your system time back to the infection time (this is important!).
If you don't know infection time - you can find it by looking at modification time of encrypted files.
hope this information will help someone.
p.s. if you can send export and send me the value of HKLM\Software\Fcd registry key along with some samples of encrypted files - this will help a lot.
|