Hello everyone,


I thought I was alone in this problem when i just discovered it while trying to open a very important document that I need for my travel day after tomorrow, but felt a bit happy when I noticed it wasn't only me!! Meaning more brains could solve it. So, any brain out there can solve this problem and help us out, plssssssss?

Thx

I received this virus on 11/29. Is anyone having issues associated with Adobe Reader and this file error? This virus hit almost 8000 files on my pc, including Adobe. When I try to uninstall the 8.1.1 version, I receive an error. When I try to install 9.0, I also receive an error that 8.1.1 can't be uninstalled.

We do data recovery, we can potentially repair your files. Business rates start at $200 and go up from there depending on how long it takes.

I would suggest you backup your files even if they've been altered.

If the file extension has been changed i.e. doc or docx to fcd or something else, try changing it back to doc or docx.

You'll have to enable show extensions in your folder settings.

If the files have been corrupted then we can possibly do a repair on the files or extract the data from them, but we charge for data recovery.

Had a client with the same issue, but here extensions did not change; meaning i.e. the .doc did not change. However, when she tried to open the file she got the error.

She copied the files to a usb key and then copied one file back and renamed the file and then it opened. You might not need to copy the file back and forth, just try renaming the files and see if they open.

I haven't tested it myself but give it a whirl.

I tried to rename - and also used the USB stick trick. Didn't work. Any other ideas? Anything? AVG virus scanner didn't find anything. PLEASE HELP!

hey Msnobody,

Well it was a long shot, in fact, I'm surprised that worked for her.

Like I said I never tested it or saw the issue first hand to troubleshoot it.

But, it sounds like your files are corrupt and are needing data recovery.

If you send me a few files, as a test, I'll see if I can repair them, at no charge.

Send to Kevin@247techinc.com

Regards,

Kevin

I've been doing more investigation on the corrupted files. (I have CD backup copies of some of my affected files, so I can compare the two and see what has changed.) Below is a technical summary of what I've found so far, which is being provided in the hopes that others working on the problem may find it useful. If you are only looking for the solution, please be aware that I haven't figured it out.

First off, note that simply changing the file names back to *.doc, *.xls, *.jpg, etc. does not work. Nor does copying them to different places. The files have been modified by this virus, which uses some sort of scrambling algorithm.

It appears that identical copies of the corrupted files were stored in both the \CDD and \FLR directories. As mentioned above, the source files have been scrambled with an algorithm that I cannot decipher at this time. An ASCII path & file name were inserted at the beginning of the resulting .fcd file. The ASCII string identifies where the source file came from.

I used a hex editor to determine the following:

There is a hex 00 byte that marks the end of the ASCII string. When I delete the ASCII string and the hex 00 byte at the beginning of the file, the known good file and the corrupted file have the same exact file length. So I don't believe any other data was added to the corrupted .fcd file.

The algorithm used to scramble the data appears to operate on 64-bit (8 byte) values at a time. It generates repeatable results every 64 bits for long strings of the same input value. The results of the algorithm also do not appear to change from one file to the next, so it does NOT look like a separate key value was used to seed the algorithm differently for each file. That's a little good news. Hopefully the results are also repeatable from one computer to the next, but I do not have any way to determine that myself (only one of my computers was affected).

Here are 4 examples of how the algorithm modifies the file data, 8 bytes at a time:

Source data (in hex) Resulting data (in hex)
00 00 00 00 00 00 00 00 CB A7 BE 9E 85 3E DA 3E
00 00 00 00 01 00 00 00 A9 A4 6B 8D 68 D6 C0 07
00 00 00 10 00 00 00 00 D8 5B 98 00 BF F7 95 83
FF FF FF FF FF FF FF FF CC B0 A4 B9 E3 28 DE 73

As mentioned above, if the 8 byte input value repeats, the resulting data repeats as well. So, taking the first example, for every set of 8 consecutive all-zero bytes aligned on a 64-bit boundary, the resulting data is always CB A7 ... This is good news, from the standpoint that there is not some continuous random number seed that percolates through the entire file.

That said, the algorithm is complicated enough to produce wildly different data when even a single bit is changed in the source data. If you look at the difference between the first two lines in the examples above, only one bit differentiates the first and second source data values. Yet the resulting data from the algorithm is quite different between the two. The same is true if you compare the first and third lines.

The scrambling algorithm is more complicated than a simple XOR. I've also looked at some LFSR implementations a little (which are commonly used for scrambling purposes), but have not found anything that explains the behavior yet.

It's not clear that I'll ever figure this out, but I'll keep plugging away at it. I can provide more examples of how the input data gets modified if that would help anybody else to decipher the algorithm. If somebody can figure that out, restoring these files would require an application program, but it would be pretty simple to implement. Good luck all.

Sorry, the table in the post above didn't show up as I typed it. Here's the same data in a more readable format -

Example 1
Source data (in hex)
00 00 00 00 00 00 00 00

Resulting data (in hex)
CB A7 BE 9E 85 3E DA 3E


Example 2
Source data (in hex)
00 00 00 00 01 00 00 00

Resulting data (in hex)
A9 A4 6B 8D 68 D6 C0 07


Example 3
Source data (in hex)
00 00 00 10 00 00 00 00

Resulting data (in hex)
D8 5B 98 00 BF F7 95 83


Example 4
Source data (in hex)
FF FF FF FF FF FF FF FF

Resulting data (in hex)
CC B0 A4 B9 E3 28 DE 73

Btw, I ran malware-bytes, it's a spyware removal utility, which should get rid of the spyware. You can download it from Free Software Downloads and Reviews - Download.com.

Your files are definitely corrupt and need to be repaired.

I'm trying to write a recovery tool for files corrupted by this virus.

So if anyone have the virus executable files quarantined by antivirus and I can get a copy them - i will try to disassemble them, figure out encryption algorithm and write a recovery tool.

Also some samples of encrypted files and corresponding original files would be very helpful.

This is a decrypt utility by DrWeb (on russian language):
http://www.recoveryfiles.ru/te33decrypt.exe

Thanks for posing a solution, strij.

strji also gave a download URL on drweb: ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe

If anyone has success with this tool, please post back.

Thanks strij and Matrix, and bob.g's effort.

ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe worked like a charm!!!
All my *.jpg, *.doc, and *.xls files are repaired and useable once again (all 17,660 affected files, holy crap I had that many?).

Program does indeed work, and I'm spreading the word myself.

Thanks again!

-J

it worked... sort of
all my .txt and .jpg's are back but .doc and .xls

it said that it was searcing for main key and that it couldnt find it.
is that what happened for you matrix and spectreofwar

if you still have your main key can you send me a copy or make a link to it so i can see if it can find it and decrypt my .doc files please

think it might be called crypted.txt