• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos3 Stats

Trojan.Encoder.33 (FileError_22001)

Hi Guys

This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig. 

In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.

Steps to take as long as Norton hasn't removed the infection.

1.  Use "Msconfig"  to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe"  Then apply and restart the PC. After the Trojan should not be active.

2.  Backup the 2 folders with  the encrypted original files

     \Documents and Settings\<username>\Local Settings\Application Data\CDD,  

      \Documents and Settings\<username>\Local Settings\Application Data\FLR.  

To pendrive, CD or DVD etc. In case the decryption goes bad.

3.  Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state.  If the tool doesn't work when in your account try when logged in via the others users accounts if any available.

4. Once you have your original files back, back them up for safety, once you are satisfied  all your photos etc are back.

5. Remove the Trojan completely 

Quads 

Message Edited by Quads on 12-23-2008 09:25 AM

Replies

Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Hi Guys

This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig. 

In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.

Steps to take as long as Norton hasn't removed the infection.

1.  Use "Msconfig"  to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe"  Then apply and restart the PC. After the Trojan should not be active.

2.  Backup the 2 folders with  the encrypted original files

     \Documents and Settings\<username>\Local Settings\Application Data\CDD,  

      \Documents and Settings\<username>\Local Settings\Application Data\FLR.  

To pendrive, CD or DVD etc. In case the decryption goes bad.

3.  Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state.  If the tool doesn't work when in your account try when logged in via the others users accounts if any available.

4. Once you have your original files back, back them up for safety, once you are satisfied  all your photos etc are back.

5. Remove the Trojan completely 

Quads 

Message Edited by Quads on 12-23-2008 09:25 AM
Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Nice research Quads!

Looks like caution needs to be exercised with this new one.

Suggesting the normal malware removal procedures in this case will result in files being rendered unusable if they have not been decrypted prior to the infection being removed.

Careful questioning of an individual affected by this will be extremely important before dispensing any advice.

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Hi Phil

What is worrying, is that on-demand scanners are one thing as the users has to run the scan manually.

But what about the Realtime protection, Antivirus/Antispyware programs that remove the infection automatically including registry entries without asking the user what to do and thus the users has or had no say in the matter to follow the steps in my first post.

Then the non decrypted files have to stay like that until a decrption program for this is created not needing the registry entries.

This is then a problem not caused by the user, but the realtime protection causing this secondary problem.

Quads 

Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

So here's a crazy question. How can you reinfect your machine to get the tool to restore the files?
Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Hi

The re-infecting, probably won't work as the code in the registry keys seems to be random, so the re-infect keys won't be able to decrypt the files encoded from the previous infection.

There are a couple of people I have read trying to decrypt without the registry keys.

Did you try running the tool logged in as a different user, if you have more than one account on the PC??  Or did the Security Suite remove the infection completely??

Quads 

Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

The infection seems to be totally removed. I worked real hard to get rid of it before I knew what damage it had done.
Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Like what most people and software does.

Quads 

Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Have you heard of any updates about a fix if the key has been removed?
Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

Hi

No I haven't and I don't have the programs to do that sort of work either.  I do see people are saying there are a new type of variation though, GULP.

Quads 

Kudos0

Re: Trojan.Encoder.33 (FileError_22001)

do you have HKLM\Software\Fcd registry entry?...

This thread is closed from further comment. Please visit the forum to start a new thread.