Hello folks. I've been following this thread with great interest over the past several days, because I have a customer who is in this predicament (I run a local computer service in my town).



I was ecstatic to see a fix, as the people are very upset over the loss of their data. Business documents and spreadsheets, resumes and kids' school documents, thousands of family photos etc.

However, I no longer have the PC with me, I finally had to return it. I did, however, retain a copy of their data but evidently some encryption keys are needed. I recreated the directory structure in a vmware virtual machine and restored the cdd and flr directories and their documents tree and I'm just getting the "Unable to find the first key. PC not infected".

I sure hope that these keys are found on the PC when the program is run there. I instructed them not to delete anything, just in case.

I did not find the trojan that caused this on their PC. I found and removed some common malware, but nothing that would cause this. I kept it for days, and in my opinion the system is clean of any active malware. I can usually tell when a system is jacked. It's not exhibiting any suspicious behaviour, all scans (Avira Antvir, Nod32, Kaspersky, Malwarebytes, Superantispyware, Spybot S&D, A Squared etc.) come up clean now. No sinister root kit activities. I did my usual manual hunting and poking too both on and off system. I spent an insane amount of time on this, but I really wanted to find the culprit and more importantly, a solution.

I think this was some sort of "hit and run" trojan. Did its dirty work, and then buggered off. I found evidence in their temporary internet files of a possible route for this catastrophe, but I can't be sure. (I tried to download the malware executable the malicious javascript was pointing to but the server wasn't responding)

I'll report back if I have any new observations.

I used Malwarebytes (as McAffee was useless in this case to allow in and not detect -- even after a couple weeks -- this intruder) to remove a couple harmful registry files and one unknown... but I'm not sure if the unknown was this particular virus or not. I'm of a mind to agree with you that it was a 'Hit and run' virus as I was able to upload new photos safely without alteration shortly after infection, and those images remained unencrypted.

When I found the encrypted files in these new folders I left them, as they were the exact same sizes as all my other files that went "missing," just in case something like this happened. Unfortunately I'm not familiar with which item would be the 'key' to use, but Dr. Web had no problem finding it and decrypting my information and restoring it.

A friend of mine also tried to recreate the issue to try and solve it, with no success. I'd guess that the key, and the ability to fix the infection, rests solely on the infected computer.

-J