Unfortunately the program isn't working for me either- when I run it says "Error . Unable to find first key. PC is not infected." I got the virus on 12/5/08 and all of my doc, jpgs, and xls files were corrupted. I have previously deleted the virus, but still need to get the corrupted files back.

Does this particular virus have a specific name, as the program doesn't seem to be recognizing it on my computer and can't find any info on the web about the name of the virus - its not called FileError_22001 although that is the error we see.

Any help would be appreciated.



thanks

Michael

Hello folks. I've been following this thread with great interest over the past several days, because I have a customer who is in this predicament (I run a local computer service in my town).

I was ecstatic to see a fix, as the people are very upset over the loss of their data. Business documents and spreadsheets, resumes and kids' school documents, thousands of family photos etc.

However, I no longer have the PC with me, I finally had to return it. I did, however, retain a copy of their data but evidently some encryption keys are needed. I recreated the directory structure in a vmware virtual machine and restored the cdd and flr directories and their documents tree and I'm just getting the "Unable to find the first key. PC not infected".

I sure hope that these keys are found on the PC when the program is run there. I instructed them not to delete anything, just in case.

I did not find the trojan that caused this on their PC. I found and removed some common malware, but nothing that would cause this. I kept it for days, and in my opinion the system is clean of any active malware. I can usually tell when a system is jacked. It's not exhibiting any suspicious behaviour, all scans (Avira Antvir, Nod32, Kaspersky, Malwarebytes, Superantispyware, Spybot S&D, A Squared etc.) come up clean now. No sinister root kit activities. I did my usual manual hunting and poking too both on and off system. I spent an insane amount of time on this, but I really wanted to find the culprit and more importantly, a solution.

I think this was some sort of "hit and run" trojan. Did its dirty work, and then buggered off. I found evidence in their temporary internet files of a possible route for this catastrophe, but I can't be sure. (I tried to download the malware executable the malicious javascript was pointing to but the server wasn't responding)

I'll report back if I have any new observations.

It seems that, if the infected computer has been cleaned up by some anti-virus software, the required encrypt-key file may have been removed, thus the decryption tool can't recover the files.

I'm guessing then, that it's unique keys (or salts) in each instance, otherwise the recovery tool from dr.web wouldn't need to find them on the disk.

It worked for me too. Thanks Spectreofwar, strij, Matrix, and bob.g's effort!!!!! Merry Christmas!!

I used Malwarebytes (as McAffee was useless in this case to allow in and not detect -- even after a couple weeks -- this intruder) to remove a couple harmful registry files and one unknown... but I'm not sure if the unknown was this particular virus or not. I'm of a mind to agree with you that it was a 'Hit and run' virus as I was able to upload new photos safely without alteration shortly after infection, and those images remained unencrypted.

When I found the encrypted files in these new folders I left them, as they were the exact same sizes as all my other files that went "missing," just in case something like this happened. Unfortunately I'm not familiar with which item would be the 'key' to use, but Dr. Web had no problem finding it and decrypting my information and restoring it.

A friend of mine also tried to recreate the issue to try and solve it, with no success. I'd guess that the key, and the ability to fix the infection, rests solely on the infected computer.

-J

The key files were on the PC, because my customers just emailed me back that it worked. I had emailed them the ftp link to the recovery tool. This is a great relief to me as well as them. Because it was something automated they were able to do it themselves too, saving me going out there and saving them another service call.

So my thanks to everyone in this thread for sharing your experiences.

Also, if anyone from Dr.Web is reading this thread, my deepest thanks to you. I never gave Dr.Web much thought until now, but you did a good thing here and I'll be investigating the efficacy of your products and services.

Anybody know the name of the encryption key file as my Dr Web decryption program run isn't finding it. I ran Malwarebytes AV intially to remove or quarantine the virus like everyone else did - Isn't this the same way everybody else got rid of the initial virus, leaving all of the corrupted files intact. Not sure why I can't find the encryption key file if others used the same process, as I didn't delete anything manually,- Is there a quarantine folder I need to be looking for.

Any help would be appreciated as I would really like to recover these files that are lost.

Thanks,

THANK YOU TO WHO EVER FOUND THIS FIX OUT!

Initially it found no errors under my user name and desktop. I then tried to find the folder it was looking for and couldn't locate it under my name either so,,, if the fix program doesn't find anything under your user name and you use XP with multiple users, go into each user and try to run it. Who ever initially contracted the virus will have the folder needed to decrypt the files. I ran it under each persons name on my XP and finally found the user who had the folders.

Try that and good luck it really restored my files and now I AM GOING TO BACK THEM ALL UP!!!

THANKS

Unforunately I couldn't get it to work on the only other login I have on my computer eith. Anybody have any other ideas about where the key could be located or a name of the file, or another workaround. I've spent quite a bit of time on the Dr Web website looking for info about the tool they created, and the strange thing is there is no metion of the virus(Still doesn't appear to have a name or the tool they created - The virus name they refer to on the decrypter doesn't appear on the web. Also, there is no mention of the tool either - you would think they would want some credit for it.

I might try contacting them directly and see if they can help(Noy sure how that will go seeing they are a Russian company), but any other ideas would be appreciated .

I really need to fgiure out a way to make it work, and it seems I am so close

The key in the registry is used to calculate the encryption key. Some antiviruses might have deleted it along with the virus executable.
I believe there's a alternative way to find the encryption key. My team is working on the solution now.

Well I got rid of the virus and got all my files back. Using a combination of information from this forum.

1) Remove the corrupted files(I know it sounds crazy but it worked) Run Download Dr.Web CureIt! Free anti-virus scanner, cures computers viruses. the download is at the bottom left corner. This will identify the corrupted file. Run msconfig and disable the file at start up. Delete the file. Mine came up as 9129837.exe. I also deleted the drweb files they are pretty large.

2)I then ran ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe
this restored all my word and jpegs to my desk top. I had 2587 files come back. As I moved the files back to original locations I deleted the desk top icons. After the icons were removed I had to restart my computer to get the next "set" of icons. I continued thid until I had restored all my files. Another note 2 icons came up for each document I believe one is called a DAT file(sorry not really a tech guy so not sure of propper name). I deleted these. The end result I had all my files back. They can also be edited everything seems to be working fine.

Well like I said I am not a tech guy but it seems to work. I hope this helps some of you.

It says unable to find first key. Pc not infected? What can I do.

I am still having the same problem as you as I posted above - At this point there is no solution yet if the decrypter doesn't find the key file. I am still curious what key file the Decrypter is looking for(What the name is), as I want to manually search for it(Or even try to recover a deleted file on my hard drive if that is the problem, but it appears to be unknown. Dr Web must know as they created the decrypt file - strange thing is, their web site doesn't even mention that decrypt program that they made.

I am considering re-introducing the virus into my machine to see if the Dr.Web fix would work then. I had already cleaned my machine before I tried the fix and my uninfected data is backed up. Anyone know how to re-introduce a virus or is this just crazy talk ?

Thanks all for the work on this effort !!