I don't think you'd want to do that, because the data written to the registry (user registry by the sounds of it) that the key is based on may likely be different on the second infection, and the tool will not be able to decrypt the original files anyway.

Thanks strij, Max, Matrix, and bob.g! It worked!! All 13808 of my .xls and .doc files have been recovered. You are truly a LIFE SAVER! I cannot imagine what I would have done if this fix hadn't come along! Cheers guys, Jim - Australia

Good point and thank you ! I hate this stupid virus ..... I don't enjoy other viruses but the really insidious part is the inability to fix the files even after cleansing or restoring the machine.

Still cannot get beyond first key though, and I am wondering if there is a solution for a machine that has already been cleaned of the virus. Wedding photos at stake

Has anyone though of using system restore to restore to a previous date where the registry key was there and the system was infected ?

of course, usually when you cure a system from a virus you disable the system restore but in some case it might have been forgotten.

Still not sure this will enable you to decrypt the files but it might be something to try.

Anyone think this would be a possible avenue to look at?

Thank you bob.g, strij, and Matrix, and all those who have worked on a solution to the FileError_22001 virus. I was able to restore all of my files today!! I am extremely grateful! Happy Holidays!!

System Restore does not restore your document/data files - it affects systems files only. I did try to system restore to before I cleaned the virus(So I could possible have the encrypt key) but I got a message that it could not restore that restore point. After trying restore a couple different days with no luck I gave up.

I would think Microsoft would step up and try to help in this since this virus was obviously targeted to their users mainly, and their IE Vulnerability was the cause. They are being awful quiet about it.

My computer was infected with this on December 5th and I was DEVESTATED to find all my photos of my 2 babies (13 months and 1 month) GONE ... I didn't have anything backed up and I literally wanted to cry as file after file appeared as "FileError_22001" ... I consulted a few tech savvy friends who hadn't heard of anything, but promised me they'd look into it. I downloaded and ran trial versions Norton and McAfee antiviruses, but nothing could determine anything but a few tracking cookies was amiss on my computer. I left it for DAYS, scared that if I did anything, more files would get messed up.

I then started searching online and came up with this forum. I have been checking in about once a week for the past month or so, and now I had to register to say a HUGE thank you to whoever it was that was able to figure this out. I was (fortunately) advised NOT to delete anything, as this was still really new and perhaps someone would be able to find something (and if not, well, the files are lost anyway). I had high hopes every time I checked the forums, but until today, I was left disappointed and not at all hopeful.

I sincerely hope that you are all able to find what you need (main keys, etc) to run this AMAZING tool on your machines. All but a handful of my 28500+ photos are back and I'm about to go looking at my .doc's and other files (nothing majorly important, so no real loss if they're gone).

One question ... what are the files that have been placed on my desktop? All of my photos are still in their original folders and locations.

Thanks again. You guys are lifesavers!! Merry Christmas to every and all the best through the holidays and into the new year!

~ Krystina

This mess occurred to wife's comp on 12/7/08.
She was looking up items on the internet (recipes). Took a break for an hour or so, and when she came back, said she was having problems. Some were the classics others have written about. McAfee had been installed and updated since the system was new, and apparently was catching whatever it was that was trying to get through, but not completely. Her system would start up, then McAfee would would flash a few warnings, similar to but not complete, text such as:

Generic Rootkit.d
(File) Location c:\Windows\new_drv.sys
Program Client Server Runtime Process
Location C:\WINDOWS\9129837.exe

Then suddenly a small screen would appear with text containing the following:

System is Shutting Down
Initiated by NT Authority\ System

C:WINDOWS\System32\services.exe
Terminated unexpectedly.......
Status Code 1073741819

The system would in fact shut down, then automatically restart and go through the same series all over again.

The McAfee log shows on 12/7 Eight cases of generic rootkit.d (Trojan) found and deleted.

On 12/8 Seven cases of the same generic rootkit.d (Trojan) found and deleted.

The only way to stop the constant shutting down and restart was to interrupt the restart and start in safe mode. Once in safe mode, the only way that I was able to get a good startup without the errors was to revert to an earlier good start point.

Ran my own complete scan with McAfee - nothing found
Worked direct with McAfee, who scanned even further - nothing found
Worked with Microsoft who further scanned - nothing found

Still getting the file error_22001 on all word, excel, and jpeg files.

Ran fixes suggested here, with the response: UNABLE TO FIND FIRST KEY - PC IS NOT INFECTED

It sounds like McAfee did about 95% of its job, but in doing so, deleted the virus. By deleting the virus, I apparently have come up with the same problem as others, the lack of, or unable to find the first key.

Has anyone had any further luck on a fix in such a situation?

Any help greatly appreciated...
Pulling out what few hairs I have left.

I have used Malwarebytes to successfully remove the virus and like many others, I cannot restore all of my files due to the response: UNABLE TO FIND FIRST KEY - PC IS NOT INFECTED. My Malwarebytes program does have all of the virus objects listed under the quarantine tab, so I am wondering if someone knows if I could restore one of these items and then run the restore program to get back all of my files. My question is, does anyone know where the keys are stored?

STRIJ, I swear I can kiss you!! It worked! I got every file back!!! I am so happy I am beside myself!!! Thank you, Thank you, Thank you, Thank you forever and ever!!

Hi
First I have to give credit where credit is due - there is a user by the name of duffpaddy (David Lipman)
FileError_22001 Fix
Follow his instructions and life becomes good. I just recovered my files by using the dr web tool and am in the process of running the malware search and destroy tool from malwarebytes.org

excerpt from the forum posted by duffpaddy
************************************************
It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and has a
tool for
decryption.
ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe

10% of the files can be decrypted based upon a key in the Registry.
The other 90% can be decrypted through a predictable key.


--
Dave
Generic Trojan / Adware Infestation Removal Procedures
Multi-AV - Multi-AV Scanning Tool - PCtipp.ch - Downloads

******** end of excerpt*******************
Good Luck
Marc

Here is another solution - again not my work just directing other unfortunate souls such as myself

Trojan.Encoder.33 (FileError_22001) - Norton Internet Security / Norton AntiVirus - Norton Community

Excerpt from the above link

Hi Guys

This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig.
In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.

Steps to take as long as Norton hasn't removed the infection.

1. Use "Msconfig" to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe" Then apply and restart the PC. After the Trojan should not be active.

2. Backup the 2 folders with the encrypted original files
\Documents and Settings\<username>\Local Settings\Application Data\CDD,
\Documents and Settings\<username>\Local Settings\Application Data\FLR.

To pendrive, CD or DVD etc. In case the decryption goes bad.

3. Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state. If the tool doesn't work when in your account try when logged in via the others users accounts if any available.

4. Once you have your original files back, back them up for safety, once you are satisfied all your photos etc are back.

5. Remove the Trojan completely

Quads
Message Edited by Quads on 12-23-2008 09:25 AM

I thought I would post the actual information listed within the Malware quarantine tab to see if anyone knows which registry values might be able to be restored and then recover the files:

1)
Vendor: Rootkit.Agent
Category: Registry Key
Items: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\new_drv

2)
Vendor: Rootkit.Agent
Category: Registry Key
Items: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\n ew_drv

3)
Vendor: Trojan.Agent
Category: Registry Key
Items: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\ttool(Data: C:\WINDOWS\9129837.exe)

I would be curious if this works - As I had some of the same entries in MalWareBytes and restored them, and the decrypt still didn't work, and then I had opened the door to all sorts of other spyware - I untimately ran Malwarebytes again and it removed like 32 spywares.

Seems like people are moving on and all of us are stuck with thousands of lost files. Disappointing that most of the big name virus programs(And MICROSOFT) didn't do their job in stopping this virus in the first place

i'll tell you one thing - I am now running Mozilla Firefox as a browser - so much better than IE7 and none of the security vulnerabilities now.