Has anyone though of using system restore to restore to a previous date where the registry key was there and the system was infected ?

of course, usually when you cure a system from a virus you disable the system restore but in some case it might have been forgotten.

Still not sure this will enable you to decrypt the files but it might be something to try.

Anyone think this would be a possible avenue to look at?

System Restore does not restore your document/data files - it affects systems files only. I did try to system restore to before I cleaned the virus(So I could possible have the encrypt key) but I got a message that it could not restore that restore point. After trying restore a couple different days with no luck I gave up.

I would think Microsoft would step up and try to help in this since this virus was obviously targeted to their users mainly, and their IE Vulnerability was the cause. They are being awful quiet about it.

My computer was infected with this on December 5th and I was DEVESTATED to find all my photos of my 2 babies (13 months and 1 month) GONE ... I didn't have anything backed up and I literally wanted to cry as file after file appeared as "FileError_22001" ... I consulted a few tech savvy friends who hadn't heard of anything, but promised me they'd look into it. I downloaded and ran trial versions Norton and McAfee antiviruses, but nothing could determine anything but a few tracking cookies was amiss on my computer. I left it for DAYS, scared that if I did anything, more files would get messed up.

I then started searching online and came up with this forum. I have been checking in about once a week for the past month or so, and now I had to register to say a HUGE thank you to whoever it was that was able to figure this out. I was (fortunately) advised NOT to delete anything, as this was still really new and perhaps someone would be able to find something (and if not, well, the files are lost anyway). I had high hopes every time I checked the forums, but until today, I was left disappointed and not at all hopeful.

I sincerely hope that you are all able to find what you need (main keys, etc) to run this AMAZING tool on your machines. All but a handful of my 28500+ photos are back and I'm about to go looking at my .doc's and other files (nothing majorly important, so no real loss if they're gone).

One question ... what are the files that have been placed on my desktop? All of my photos are still in their original folders and locations.

Thanks again. You guys are lifesavers!! Merry Christmas to every and all the best through the holidays and into the new year!

~ Krystina

This mess occurred to wife's comp on 12/7/08.
She was looking up items on the internet (recipes). Took a break for an hour or so, and when she came back, said she was having problems. Some were the classics others have written about. McAfee had been installed and updated since the system was new, and apparently was catching whatever it was that was trying to get through, but not completely. Her system would start up, then McAfee would would flash a few warnings, similar to but not complete, text such as:

Generic Rootkit.d
(File) Location c:\Windows\new_drv.sys
Program Client Server Runtime Process
Location C:\WINDOWS\9129837.exe

Then suddenly a small screen would appear with text containing the following:

System is Shutting Down
Initiated by NT Authority\ System

C:WINDOWS\System32\services.exe
Terminated unexpectedly.......
Status Code 1073741819

The system would in fact shut down, then automatically restart and go through the same series all over again.

The McAfee log shows on 12/7 Eight cases of generic rootkit.d (Trojan) found and deleted.

On 12/8 Seven cases of the same generic rootkit.d (Trojan) found and deleted.

The only way to stop the constant shutting down and restart was to interrupt the restart and start in safe mode. Once in safe mode, the only way that I was able to get a good startup without the errors was to revert to an earlier good start point.

Ran my own complete scan with McAfee - nothing found
Worked direct with McAfee, who scanned even further - nothing found
Worked with Microsoft who further scanned - nothing found

Still getting the file error_22001 on all word, excel, and jpeg files.

Ran fixes suggested here, with the response: UNABLE TO FIND FIRST KEY - PC IS NOT INFECTED

It sounds like McAfee did about 95% of its job, but in doing so, deleted the virus. By deleting the virus, I apparently have come up with the same problem as others, the lack of, or unable to find the first key.

Has anyone had any further luck on a fix in such a situation?

Any help greatly appreciated...
Pulling out what few hairs I have left.

I have used Malwarebytes to successfully remove the virus and like many others, I cannot restore all of my files due to the response: UNABLE TO FIND FIRST KEY - PC IS NOT INFECTED. My Malwarebytes program does have all of the virus objects listed under the quarantine tab, so I am wondering if someone knows if I could restore one of these items and then run the restore program to get back all of my files. My question is, does anyone know where the keys are stored?

Hi
First I have to give credit where credit is due - there is a user by the name of duffpaddy (David Lipman)
FileError_22001 Fix
Follow his instructions and life becomes good. I just recovered my files by using the dr web tool and am in the process of running the malware search and destroy tool from malwarebytes.org

excerpt from the forum posted by duffpaddy
************************************************
It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and has a
tool for
decryption.
ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe

10% of the files can be decrypted based upon a key in the Registry.
The other 90% can be decrypted through a predictable key.


--
Dave
Generic Trojan / Adware Infestation Removal Procedures
Multi-AV - Multi-AV Scanning Tool - PCtipp.ch - Downloads

******** end of excerpt*******************
Good Luck
Marc

Here is another solution - again not my work just directing other unfortunate souls such as myself

Trojan.Encoder.33 (FileError_22001) - Norton Internet Security / Norton AntiVirus - Norton Community

Excerpt from the above link

Hi Guys

This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig.
In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.

Steps to take as long as Norton hasn't removed the infection.

1. Use "Msconfig" to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe" Then apply and restart the PC. After the Trojan should not be active.

2. Backup the 2 folders with the encrypted original files
\Documents and Settings\<username>\Local Settings\Application Data\CDD,
\Documents and Settings\<username>\Local Settings\Application Data\FLR.

To pendrive, CD or DVD etc. In case the decryption goes bad.

3. Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state. If the tool doesn't work when in your account try when logged in via the others users accounts if any available.

4. Once you have your original files back, back them up for safety, once you are satisfied all your photos etc are back.

5. Remove the Trojan completely

Quads
Message Edited by Quads on 12-23-2008 09:25 AM

I thought I would post the actual information listed within the Malware quarantine tab to see if anyone knows which registry values might be able to be restored and then recover the files:

1)
Vendor: Rootkit.Agent
Category: Registry Key
Items: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\new_drv

2)
Vendor: Rootkit.Agent
Category: Registry Key
Items: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\n ew_drv

3)
Vendor: Trojan.Agent
Category: Registry Key
Items: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\ttool(Data: C:\WINDOWS\9129837.exe)

I would be curious if this works - As I had some of the same entries in MalWareBytes and restored them, and the decrypt still didn't work, and then I had opened the door to all sorts of other spyware - I untimately ran Malwarebytes again and it removed like 32 spywares.

Seems like people are moving on and all of us are stuck with thousands of lost files. Disappointing that most of the big name virus programs(And MICROSOFT) didn't do their job in stopping this virus in the first place

i'll tell you one thing - I am now running Mozilla Firefox as a browser - so much better than IE7 and none of the security vulnerabilities now.

Main key for encryption is stored under HKLM\Software\Fcd.
If you have that key in the registry - don't touch it.
If not - you can try to restore them from backups (if you have them), but make sure you change your system time back to the infection time (this is important!).
If you don't know infection time - you can find it by looking at modification time of encrypted files.

hope this information will help someone.

p.s. if you can send export and send me the value of HKLM\Software\Fcd registry key along with some samples of encrypted files - this will help a lot.

I've been following this issue very carefully on various forums, and have heard some say that the encryption key is for 10% of the encrypted files, and then the other 90% were encrypted via a predictable key. If that is the case, why would the Decrypt tool need a key to decrypt all of the files. Is there any truth to this statement, or are people mistaken. I would be happy if I could get 90% of my files back at this point.

But I will tell you - this forum is definitely ahead of the others as far as information on this problem.

Michael

Bob:

PM Sent

Guys I have read the whole thread here and I am getting this Error when I try to open files for example like .jpg. I was reading and I am not sure if it's the same problem. This is what I get

Application can't open the file due to data corruption
C:\Documents and Settings\(name).................(file directory)

Error 0xC005: Invalid header sequence.
Corrupted block:
DA69A8CA25EBAA0065961C71C147B78C
D4ECB8B02DDB4E05BD7A0083BC95C5A8
A53BAB0625A1E173205D1C38EC0C1682
D4CD0A24A6D319E335B7E8F9D8144FA3
EA194CA318FB4ECE6510DB4EF955BB62
5EB90AE9127F199B38007EA0E737FF66
9913AB8F0DD9E2E115FF38A509427629
32B1B80E7090402A9566B2B7E7EFD602

It also tells me to download FileFix Proffesional and then tells me to buy it. I have been looking all over the web for this issue and have only found this page with these threads. Is it the same problem as the File Error??? If not u guys know of any solution for it ?

I didn't open a new thread because not sure if it's a different problem.

Thanks in advance.

it's a different virus:
FileFix Professional 2009

So I've read a lot about this virus and I guess I've been blessed because I haven't been hit by it - but it also might be because I have Cyberdefender as my security softwre. I would be interested to see what security software you were using when you were infected.

THanks.