#61
|
|||
|
|||
Main key for encryption is stored under HKLM\Software\Fcd.
If you have that key in the registry - don't touch it. If not - you can try to restore them from backups (if you have them), but make sure you change your system time back to the infection time (this is important!). If you don't know infection time - you can find it by looking at modification time of encrypted files. hope this information will help someone. p.s. if you can send export and send me the value of HKLM\Software\Fcd registry key along with some samples of encrypted files - this will help a lot. |
#62
|
|||
|
|||
I've been following this issue very carefully on various forums, and have heard some say that the encryption key is for 10% of the encrypted files, and then the other 90% were encrypted via a predictable key. If that is the case, why would the Decrypt tool need a key to decrypt all of the files. Is there any truth to this statement, or are people mistaken. I would be happy if I could get 90% of my files back at this point.
But I will tell you - this forum is definitely ahead of the others as far as information on this problem. Michael |
#63
|
|||
|
|||
Quote:
Bob: PM Sent |
#64
|
|||
|
|||
Hello, my english is very bad, but could you help me? the te33decrupt says unable to find first key. Pc not infected? What can I do.Could you please explain me in simple words, because I canīt understand the posts here very well? thank you soo much. Angiie.
|
#65
|
|||
|
|||
Quote:
SourceForge.net: FE22001 decryptor: Files copy/paste the output of the program here, and we'll see what can we do in your case. |
#66
|
|||
|
|||
i've finished the initial version of decryption utility for testing.
now it should be able to find both encryption keys and decrypt all encrypted files. download deFE22001.exe: https://sourceforge.net/project/plat...platform=12963 save it a folder and execute. it will create "recover" folder with decrypted files keeping original directory structure. 1. if HKLM\Software\Fcd registry entry is absent - it won't be able to decrypt 2. make sure you have enough space to hold decrypted files on a disk which you run utility from 3. encrypted files should be in <app_data>/CDD and /FLR folders - exactly as the virus left the encrypted there any comments/questions/feedback are welcomed. |
#67
|
|||
|
|||
File Error 22001 - on a Cruzer Dirve
Hello Bob. G,
I actually had my files on a Cruzer Drive, all the files on there seem to have been lost. My hard drive went out on my laptop and I replaced since, but still have not been able to recover the files. Anyone out there hnow to to recover them if they were and are still on this thumb drive. I have had the drive scanned and now it shows that the System file on the drive has a virus, but cannot delete it or fix it since the drive is locked/protected. Vic |
#68
|
|||
|
|||
Okay, I've got my son's computer where he allowed his anti-virus software to lapse. Grrrr. He has lots of college schoolwork that he can no longer access.
I've run the Dr. Web decryptor but it was unable to find main key and only part of files could be decrypted. Where are these decrypted files stored sincd I was unable to find not a one. Tried the sourceforge suggestion which I downloaded on a thumb drive to my computer (his Internet is not working), opened up on his and got an error msg. "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." Is this because the HKLM\Software\Fcd registry entry is absent? With regedit where do I go to see if this registry key is there? Thanks for your help as I am about to pull all my hair out. |
#69
|
|||
|
|||
Quote:
\Documents and Settings\<user>\Local Settings\Application Data\CDD \Documents and Settings\<user>\Local Settings\Application Data\FLR if you cannot find them - make sure you have "view hidden files" option enabled in your explorer, and check all the <user> folders. if the files in these folders are reported as infected by your antivirus - do not let him to delete or fix it - that's not true - they are not infected, just encrypted. if other files are reported infected and cannot be deleted - you can try to do a full scan in Safe Mode. but before that export your "HKEY_LOCAL_MACHINE\SOFTWARE\Fcd" entry into some backup file - you will need it to decrypt your files later. otherwise if you antivirus deletes that registry key - you won't be able to recover your files. if you provide more info - i could be more helpful. |
#70
|
|||
|
|||
Quote:
I've updated decrypt utility - it should not display that error message again. download deFE22001.1.0b.exe from: https://sourceforge.net/project/plat...platform=12963 note that decrypted files will be placed in newly created "recover" folder. if anything goes wrong - please send me "defe22001.log" file which will be created - and i will see what can i do. |
#71
|
|||
|
|||
Bob I have been following this thread and reading how you have been able to help others recover their lost data. I need help too!!
All of my Office files are encripted and only about 5-10% of my pictures have been recovered using the info in your last couple of posts. Can you help? Thanks, Rick |
#72
|
|||
|
|||
Quote:
please run deFE22001.exe utility. It will place your decrypted files into newly created "recover" folder. if anything goes wrong, please send "fe22001.log" file to me: "bob dot grigoryan at gmail dot com". |
#73
|
|||
|
|||
Error 0xC005: Invalid header sequence. Corrupted block:
Guys I have read the whole thread here and I am getting this Error when I try to open files for example like .jpg. I was reading and I am not sure if it's the same problem. This is what I get
Application can't open the file due to data corruption C:\Documents and Settings\(name).................(file directory) Error 0xC005: Invalid header sequence. Corrupted block: DA69A8CA25EBAA0065961C71C147B78C D4ECB8B02DDB4E05BD7A0083BC95C5A8 A53BAB0625A1E173205D1C38EC0C1682 D4CD0A24A6D319E335B7E8F9D8144FA3 EA194CA318FB4ECE6510DB4EF955BB62 5EB90AE9127F199B38007EA0E737FF66 9913AB8F0DD9E2E115FF38A509427629 32B1B80E7090402A9566B2B7E7EFD602 It also tells me to download FileFix Proffesional and then tells me to buy it. I have been looking all over the web for this issue and have only found this page with these threads. Is it the same problem as the File Error??? If not u guys know of any solution for it ? I didn't open a new thread because not sure if it's a different problem. Thanks in advance. |
#74
|
|||
|
|||
Quote:
FileFix Professional 2009 |
#75
|
|||
|
|||
So I've read a lot about this virus and I guess I've been blessed because I haven't been hit by it - but it also might be because I have Cyberdefender as my security softwre. I would be interested to see what security software you were using when you were infected.
THanks. |
Thread Tools | |
Display Modes | |
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Possible virus in Microsoft Word which alters the formatting of documents | Shirley Munro | Word | 8 | 09-18-2010 12:37 AM |
Help-overwriting files-could it be macro virus? | Timpotty | Word | 0 | 03-06-2009 04:28 PM |
Possible Virus in Word which alters formatting of entire document | Shirley Munro | Word | 2 | 02-09-2009 02:43 PM |