Hello folks. I've been following this thread with great interest over the past several days, because I have a customer who is in this predicament (I run a local computer service in my town).



I was ecstatic to see a fix, as the people are very upset over the loss of their data. Business documents and spreadsheets, resumes and kids' school documents, thousands of family photos etc.

However, I no longer have the PC with me, I finally had to return it. I did, however, retain a copy of their data but evidently some encryption keys are needed. I recreated the directory structure in a vmware virtual machine and restored the cdd and flr directories and their documents tree and I'm just getting the "Unable to find the first key. PC not infected".

I sure hope that these keys are found on the PC when the program is run there. I instructed them not to delete anything, just in case.

I did not find the trojan that caused this on their PC. I found and removed some common malware, but nothing that would cause this. I kept it for days, and in my opinion the system is clean of any active malware. I can usually tell when a system is jacked. It's not exhibiting any suspicious behaviour, all scans (Avira Antvir, Nod32, Kaspersky, Malwarebytes, Superantispyware, Spybot S&D, A Squared etc.) come up clean now. No sinister root kit activities. I did my usual manual hunting and poking too both on and off system. I spent an insane amount of time on this, but I really wanted to find the culprit and more importantly, a solution.

I think this was some sort of "hit and run" trojan. Did its dirty work, and then buggered off. I found evidence in their temporary internet files of a possible route for this catastrophe, but I can't be sure. (I tried to download the malware executable the malicious javascript was pointing to but the server wasn't responding)

I'll report back if I have any new observations.

I used Malwarebytes (as McAffee was useless in this case to allow in and not detect -- even after a couple weeks -- this intruder) to remove a couple harmful registry files and one unknown... but I'm not sure if the unknown was this particular virus or not. I'm of a mind to agree with you that it was a 'Hit and run' virus as I was able to upload new photos safely without alteration shortly after infection, and those images remained unencrypted.

When I found the encrypted files in these new folders I left them, as they were the exact same sizes as all my other files that went "missing," just in case something like this happened. Unfortunately I'm not familiar with which item would be the 'key' to use, but Dr. Web had no problem finding it and decrypting my information and restoring it.

A friend of mine also tried to recreate the issue to try and solve it, with no success. I'd guess that the key, and the ability to fix the infection, rests solely on the infected computer.

-J

It seems that, if the infected computer has been cleaned up by some anti-virus software, the required encrypt-key file may have been removed, thus the decryption tool can't recover the files.

I'm guessing then, that it's unique keys (or salts) in each instance, otherwise the recovery tool from dr.web wouldn't need to find them on the disk.

The key files were on the PC, because my customers just emailed me back that it worked. I had emailed them the ftp link to the recovery tool. This is a great relief to me as well as them. Because it was something automated they were able to do it themselves too, saving me going out there and saving them another service call.

So my thanks to everyone in this thread for sharing your experiences.

Also, if anyone from Dr.Web is reading this thread, my deepest thanks to you. I never gave Dr.Web much thought until now, but you did a good thing here and I'll be investigating the efficacy of your products and services.

Anybody know the name of the encryption key file as my Dr Web decryption program run isn't finding it. I ran Malwarebytes AV intially to remove or quarantine the virus like everyone else did - Isn't this the same way everybody else got rid of the initial virus, leaving all of the corrupted files intact. Not sure why I can't find the encryption key file if others used the same process, as I didn't delete anything manually,- Is there a quarantine folder I need to be looking for.

Any help would be appreciated as I would really like to recover these files that are lost.

Thanks,

The key in the registry is used to calculate the encryption key. Some antiviruses might have deleted it along with the virus executable.
I believe there's a alternative way to find the encryption key. My team is working on the solution now.

Well I got rid of the virus and got all my files back. Using a combination of information from this forum.

1) Remove the corrupted files(I know it sounds crazy but it worked) Run Download Dr.Web CureIt! Free anti-virus scanner, cures computers viruses. the download is at the bottom left corner. This will identify the corrupted file. Run msconfig and disable the file at start up. Delete the file. Mine came up as 9129837.exe. I also deleted the drweb files they are pretty large.

2)I then ran ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe
this restored all my word and jpegs to my desk top. I had 2587 files come back. As I moved the files back to original locations I deleted the desk top icons. After the icons were removed I had to restart my computer to get the next "set" of icons. I continued thid until I had restored all my files. Another note 2 icons came up for each document I believe one is called a DAT file(sorry not really a tech guy so not sure of propper name). I deleted these. The end result I had all my files back. They can also be edited everything seems to be working fine.

Well like I said I am not a tech guy but it seems to work. I hope this helps some of you.

It says unable to find first key. Pc not infected? What can I do.

I am still having the same problem as you as I posted above - At this point there is no solution yet if the decrypter doesn't find the key file. I am still curious what key file the Decrypter is looking for(What the name is), as I want to manually search for it(Or even try to recover a deleted file on my hard drive if that is the problem, but it appears to be unknown. Dr Web must know as they created the decrypt file - strange thing is, their web site doesn't even mention that decrypt program that they made.

I am considering re-introducing the virus into my machine to see if the Dr.Web fix would work then. I had already cleaned my machine before I tried the fix and my uninfected data is backed up. Anyone know how to re-introduce a virus or is this just crazy talk ?

Thanks all for the work on this effort !!

I don't think you'd want to do that, because the data written to the registry (user registry by the sounds of it) that the key is based on may likely be different on the second infection, and the tool will not be able to decrypt the original files anyway.

Good point and thank you ! I hate this stupid virus ..... I don't enjoy other viruses but the really insidious part is the inability to fix the files even after cleansing or restoring the machine.

Thanks strij, Max, Matrix, and bob.g! It worked!! All 13808 of my .xls and .doc files have been recovered. You are truly a LIFE SAVER! I cannot imagine what I would have done if this fix hadn't come along! Cheers guys, Jim - Australia

Still cannot get beyond first key though, and I am wondering if there is a solution for a machine that has already been cleaned of the virus. Wedding photos at stake