Microsoft Office Forums

Go Back   Microsoft Office Forums > >

Reply
 
Thread Tools Display Modes
  #61  
Old 01-06-2009, 08:55 AM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

Main key for encryption is stored under HKLM\Software\Fcd.
If you have that key in the registry - don't touch it.
If not - you can try to restore them from backups (if you have them), but make sure you change your system time back to the infection time (this is important!).
If you don't know infection time - you can find it by looking at modification time of encrypted files.

hope this information will help someone.

p.s. if you can send export and send me the value of HKLM\Software\Fcd registry key along with some samples of encrypted files - this will help a lot.
Reply With Quote
  #62  
Old 01-06-2009, 11:36 AM
Guitar1969 Guitar1969 is offline
Novice
 
Join Date: Dec 2008
Posts: 8
Guitar1969 is on a distinguished road
Default

I've been following this issue very carefully on various forums, and have heard some say that the encryption key is for 10% of the encrypted files, and then the other 90% were encrypted via a predictable key. If that is the case, why would the Decrypt tool need a key to decrypt all of the files. Is there any truth to this statement, or are people mistaken. I would be happy if I could get 90% of my files back at this point.

But I will tell you - this forum is definitely ahead of the others as far as information on this problem.

Michael
Reply With Quote
  #63  
Old 01-06-2009, 10:28 PM
Guitar1969 Guitar1969 is offline
Novice
 
Join Date: Dec 2008
Posts: 8
Guitar1969 is on a distinguished road
Default

Quote:
Originally Posted by bob.g View Post
Main key for encryption is stored under HKLM\Software\Fcd.
If you have that key in the registry - don't touch it.
If not - you can try to restore them from backups (if you have them), but make sure you change your system time back to the infection time (this is important!).
If you don't know infection time - you can find it by looking at modification time of encrypted files.

hope this information will help someone.

p.s. if you can send export and send me the value of HKLM\Software\Fcd registry key along with some samples of encrypted files - this will help a lot.

Bob:

PM Sent
Reply With Quote
  #64  
Old 01-09-2009, 07:19 AM
Angiie Angiie is offline
Novice
 
Join Date: Jan 2009
Posts: 1
Angiie is on a distinguished road
Default

Hello, my english is very bad, but could you help me? the te33decrupt says unable to find first key. Pc not infected? What can I do.Could you please explain me in simple words, because I canīt understand the posts here very well? thank you soo much. Angiie.
Reply With Quote
  #65  
Old 01-13-2009, 08:44 PM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

Quote:
Originally Posted by Angiie View Post
Hello, my english is very bad, but could you help me? the te33decrupt says unable to find first key. Pc not infected? What can I do.Could you please explain me in simple words, because I canīt understand the posts here very well? thank you soo much. Angiie.
Download and execute FCDInfo.exe:
SourceForge.net: FE22001 decryptor: Files
copy/paste the output of the program here, and we'll see what can we do in your case.
Reply With Quote
  #66  
Old 01-20-2009, 02:09 AM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

i've finished the initial version of decryption utility for testing.
now it should be able to find both encryption keys and decrypt all encrypted files.

download deFE22001.exe:
https://sourceforge.net/project/plat...platform=12963
save it a folder and execute. it will create "recover" folder with decrypted files keeping original directory structure.

1. if HKLM\Software\Fcd registry entry is absent - it won't be able to decrypt
2. make sure you have enough space to hold decrypted files on a disk which you run utility from
3. encrypted files should be in <app_data>/CDD and /FLR folders - exactly as the virus left the encrypted there

any comments/questions/feedback are welcomed.
Reply With Quote
  #67  
Old 01-25-2009, 10:08 AM
Vic911 Vic911 is offline
Novice
 
Join Date: Jan 2009
Posts: 1
Vic911 is on a distinguished road
Default File Error 22001 - on a Cruzer Dirve

Hello Bob. G,
I actually had my files on a Cruzer Drive, all the files on there seem to have been lost. My hard drive went out on my laptop and I replaced since, but still have not been able to recover the files. Anyone out there hnow to to recover them if they were and are still on this thumb drive. I have had the drive scanned and now it shows that the System file on the drive has a virus, but cannot delete it or fix it since the drive is locked/protected.

Vic
Reply With Quote
  #68  
Old 01-25-2009, 11:01 AM
Dee Dee is offline
Novice
 
Join Date: Jan 2009
Posts: 1
Dee is on a distinguished road
Default

Okay, I've got my son's computer where he allowed his anti-virus software to lapse. Grrrr. He has lots of college schoolwork that he can no longer access.

I've run the Dr. Web decryptor but it was unable to find main key and only part of files could be decrypted. Where are these decrypted files stored sincd I was unable to find not a one. Tried the sourceforge suggestion which I downloaded on a thumb drive to my computer (his Internet is not working), opened up on his and got an error msg. "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem."

Is this because the HKLM\Software\Fcd registry entry is absent? With regedit where do I go to see if this registry key is there?

Thanks for your help as I am about to pull all my hair out.
Reply With Quote
  #69  
Old 01-26-2009, 04:22 PM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

Quote:
Originally Posted by Vic911 View Post
Hello Bob. G,
I actually had my files on a Cruzer Drive, all the files on there seem to have been lost. My hard drive went out on my laptop and I replaced since, but still have not been able to recover the files. Anyone out there hnow to to recover them if they were and are still on this thumb drive. I have had the drive scanned and now it shows that the System file on the drive has a virus, but cannot delete it or fix it since the drive is locked/protected.

Vic
Virus keeps encrypted files in following directories:
\Documents and Settings\<user>\Local Settings\Application Data\CDD
\Documents and Settings\<user>\Local Settings\Application Data\FLR
if you cannot find them - make sure you have "view hidden files" option enabled in your explorer, and check all the <user> folders.

if the files in these folders are reported as infected by your antivirus - do not let him to delete or fix it - that's not true - they are not infected, just encrypted.
if other files are reported infected and cannot be deleted - you can try to do a full scan in Safe Mode.
but before that export your "HKEY_LOCAL_MACHINE\SOFTWARE\Fcd" entry into some backup file - you will need it to decrypt your files later. otherwise if you antivirus deletes that registry key - you won't be able to recover your files.

if you provide more info - i could be more helpful.
Reply With Quote
  #70  
Old 01-26-2009, 04:28 PM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

Quote:
Originally Posted by Dee View Post
Okay, I've got my son's computer where he allowed his anti-virus software to lapse. Grrrr. He has lots of college schoolwork that he can no longer access.

I've run the Dr. Web decryptor but it was unable to find main key and only part of files could be decrypted. Where are these decrypted files stored sincd I was unable to find not a one. Tried the sourceforge suggestion which I downloaded on a thumb drive to my computer (his Internet is not working), opened up on his and got an error msg. "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem."

Is this because the HKLM\Software\Fcd registry entry is absent? With regedit where do I go to see if this registry key is there?

Thanks for your help as I am about to pull all my hair out.
from your message i can be sure that your HKLM\Software\Fcd registry entry is present and you can decrypt all your files.
I've updated decrypt utility - it should not display that error message again.
download deFE22001.1.0b.exe from:
https://sourceforge.net/project/plat...platform=12963

note that decrypted files will be placed in newly created "recover" folder.
if anything goes wrong - please send me "defe22001.log" file which will be created - and i will see what can i do.
Reply With Quote
  #71  
Old 02-12-2009, 08:34 PM
Rick S Rick S is offline
Novice
 
Join Date: Feb 2009
Posts: 1
Rick S is on a distinguished road
Default

Bob I have been following this thread and reading how you have been able to help others recover their lost data. I need help too!!
All of my Office files are encripted and only about 5-10% of my pictures have been recovered using the info in your last couple of posts.
Can you help?

Thanks,
Rick
Reply With Quote
  #72  
Old 02-16-2009, 08:08 AM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

Quote:
Originally Posted by Rick S View Post
Bob I have been following this thread and reading how you have been able to help others recover their lost data. I need help too!!
All of my Office files are encripted and only about 5-10% of my pictures have been recovered using the info in your last couple of posts.
Can you help?

Thanks,
Rick
Rick,
please run deFE22001.exe utility. It will place your decrypted files into newly created "recover" folder.
if anything goes wrong, please send "fe22001.log" file to me: "bob dot grigoryan at gmail dot com".
Reply With Quote
  #73  
Old 03-17-2009, 10:00 AM
Dynamico Dynamico is offline
Novice
 
Join Date: Mar 2009
Posts: 1
Dynamico is on a distinguished road
Default Error 0xC005: Invalid header sequence. Corrupted block:

Guys I have read the whole thread here and I am getting this Error when I try to open files for example like .jpg. I was reading and I am not sure if it's the same problem. This is what I get

Application can't open the file due to data corruption
C:\Documents and Settings\(name).................(file directory)

Error 0xC005: Invalid header sequence.
Corrupted block:
DA69A8CA25EBAA0065961C71C147B78C
D4ECB8B02DDB4E05BD7A0083BC95C5A8
A53BAB0625A1E173205D1C38EC0C1682
D4CD0A24A6D319E335B7E8F9D8144FA3
EA194CA318FB4ECE6510DB4EF955BB62
5EB90AE9127F199B38007EA0E737FF66
9913AB8F0DD9E2E115FF38A509427629
32B1B80E7090402A9566B2B7E7EFD602

It also tells me to download FileFix Proffesional and then tells me to buy it. I have been looking all over the web for this issue and have only found this page with these threads. Is it the same problem as the File Error??? If not u guys know of any solution for it ?

I didn't open a new thread because not sure if it's a different problem.

Thanks in advance.
Reply With Quote
  #74  
Old 03-19-2009, 06:34 AM
bob.g bob.g is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Dec 2008
Posts: 14
bob.g is on a distinguished road
Default

Quote:
Originally Posted by Dynamico View Post
Guys I have read the whole thread here and I am getting this Error when I try to open files for example like .jpg. I was reading and I am not sure if it's the same problem. This is what I get

Application can't open the file due to data corruption
C:\Documents and Settings\(name).................(file directory)

Error 0xC005: Invalid header sequence.
Corrupted block:
DA69A8CA25EBAA0065961C71C147B78C
D4ECB8B02DDB4E05BD7A0083BC95C5A8
A53BAB0625A1E173205D1C38EC0C1682
D4CD0A24A6D319E335B7E8F9D8144FA3
EA194CA318FB4ECE6510DB4EF955BB62
5EB90AE9127F199B38007EA0E737FF66
9913AB8F0DD9E2E115FF38A509427629
32B1B80E7090402A9566B2B7E7EFD602

It also tells me to download FileFix Proffesional and then tells me to buy it. I have been looking all over the web for this issue and have only found this page with these threads. Is it the same problem as the File Error??? If not u guys know of any solution for it ?

I didn't open a new thread because not sure if it's a different problem.

Thanks in advance.
it's a different virus:
FileFix Professional 2009
Reply With Quote
  #75  
Old 03-24-2009, 10:32 AM
barackrocksall barackrocksall is offline FileError_22001 - New virus?? Windows XP FileError_22001 - New virus?? Office 2003
Novice
 
Join Date: Mar 2009
Location: Memphis, TN
Posts: 8
barackrocksall is on a distinguished road
Default

So I've read a lot about this virus and I guess I've been blessed because I haven't been hit by it - but it also might be because I have Cyberdefender as my security softwre. I would be interested to see what security software you were using when you were infected.

THanks.
Reply With Quote
Reply

Thread Tools
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible virus in Microsoft Word which alters the formatting of documents Shirley Munro Word 8 09-18-2010 12:37 AM
Help-overwriting files-could it be macro virus? Timpotty Word 0 03-06-2009 04:28 PM
Possible Virus in Word which alters formatting of entire document Shirley Munro Word 2 02-09-2009 02:43 PM

Other Forums: Access Forums

All times are GMT -7. The time now is 11:32 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
Search Engine Optimisation provided by DragonByte SEO (Lite) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
MSOfficeForums.com is not affiliated with Microsoft