12-22-2008 01:10 PM - edited 12-22-2008 01:25 PM
This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig.
In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.
Steps to take as long as Norton hasn't removed the infection.
1. Use "Msconfig" to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe" Then apply and restart the PC. After the Trojan should not be active.
2. Backup the 2 folders with the encrypted original files
\Documents and Settings\<username>\Local Settings\Application Data\CDD,
\Documents and Settings\<username>\Local Settings\Application Data\FLR.
To pendrive, CD or DVD etc. In case the decryption goes bad.
3. Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state. If the tool doesn't work when in your account try when logged in via the others users accounts if any available.
4. Once you have your original files back, back them up for safety, once you are satisfied all your photos etc are back.
5. Remove the Trojan completely
12-22-2008 07:46 PM
Nice research Quads!
Looks like caution needs to be exercised with this new one.
Suggesting the normal malware removal procedures in this case will result in files being rendered unusable if they have not been decrypted prior to the infection being removed.
Careful questioning of an individual affected by this will be extremely important before dispensing any advice.
Norton 360 • Norton Internet Security • Norton Zone | XP SP3 • Windows 7 Professional SP1 x64
• PLEASE, BACKUP or EXPORT your Identity Safe Data on a regular basis •
12-23-2008 12:50 AM
What is worrying, is that on-demand scanners are one thing as the users has to run the scan manually.
But what about the Realtime protection, Antivirus/Antispyware programs that remove the infection automatically including registry entries without asking the user what to do and thus the users has or had no say in the matter to follow the steps in my first post.
Then the non decrypted files have to stay like that until a decrption program for this is created not needing the registry entries.
This is then a problem not caused by the user, but the realtime protection causing this secondary problem.
12-27-2008 06:40 PM
The re-infecting, probably won't work as the code in the registry keys seems to be random, so the re-infect keys won't be able to decrypt the files encoded from the previous infection.
There are a couple of people I have read trying to decrypt without the registry keys.
Did you try running the tool logged in as a different user, if you have more than one account on the PC?? Or did the Security Suite remove the infection completely??