Hi Guys
This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig.
In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.
Steps to take as long as Norton hasn't removed the infection.
1. Use "Msconfig" to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe" Then apply and restart the PC. After the Trojan should not be active.
2. Backup the 2 folders with the encrypted original files
\Documents and Settings\<username>\Local Settings\Application Data\CDD,
\Documents and Settings\<username>\Local Settings\Application Data\FLR.
To pendrive, CD or DVD etc. In case the decryption goes bad.
3. Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state. If the tool doesn't work when in your account try when logged in via the others users accounts if any available.
4. Once you have your original files back, back them up for safety, once you are satisfied all your photos etc are back.
5. Remove the Trojan completely
Quads