I am working on a pc and all the files have a FileError_22001 when you open them. Word/Excel/Jpegs Is this a virus or malware problem and how do I remove it

Did you try googling the error code?
 

Yes, no real answers yet.Could be a new Malware/Virus threat

I suspect it is malware. Post a HijackThis log and some of our resident malware experts will take a look.

I haven't seen such behavior recently, but new stuff comes along regularly.

Hijackthis log attached

Thanks
hijackthis.log

I'd get rid of this one, although it is not the cause:
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

Didn't see anything else suspicious. Did see that MalwareBytes AntiMalware is installed. Have you run it and was any Malware detected?

Here's the malware bytes log. I did this before posting the problem.I removed the infections before I posted here.
Still hade the file error


mbam-log-2008-12-04--15-56-58-.txt

Should I consider these file lost?Could they stillbe hidden on the drive?

According to MBAM log, no actions were taken on infected files. Try running MBAM again and allow it to remove files.

I don't think your files are recoverable. It appears they have been overwritten.

I'll send out a request for other experts to take a look.

Have you tried moving one or two of the files to another PC and see if they can be opened there?

Yes, and the still have the error.
I opened word and created a test document and saved it to the desktop. I opened the doc and it doesn't have the error. I will recheck the doc today to see if it remains unaltered. I also copied a jpeg from a web page to the desktop and it also had no error. The items in the malewarebytes scan and the suggested
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll file that
willcomp suggested were the only files removed.
Could one of these files have been the culprit?

Not in my experience. I've seen all the malware listed in MBAM log a number of times and have not seen data files affected. Viruses, rather than adware/spyware, are usually responsible for such damage.

For some possibly helpful information...  Those of you that may still be fighting this malware, I have a customer that has been saving all of her work as *.rtf, and all of those documents have been spared.  They are associated with Word 2007, and the application opens them perfectly. The application is not corrupted, nor does it corrupt the files upon opening or saving.  This might be helpful, if you can remove the infected hard drive to a clean PC, and open, and re-save them as *.rtf, this might be a temporary bandaid for at least Word docs.  I have not been able to rename any of the documents to have them open in the original associated application, BUT, if you open the document in wordpad, in the first line, you will see the original folder location and file name.

<lightbulb>  I'm going to plug that drive into my Ubuntu laptop, and see what it sees! I will post more regarding what I find!  I have not seen anybody post any attempts at a LiNUX peek, yet.

I also have a user getting this error: FileError_22001, I sent my self one of the documents an Excel spreadshhet and when I open it on my ssytem see the same thing.
I attached the file and also did a snippet paste of the file opend with notepad.

Wes

ÐÏࡱá                >  þÿ	            
   #          %   
   þÿÿÿ    $   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ	   u'ÍÁ¬    á  °Á    â   \ p   Yani                                                                                                         B  °a
   À
  =
 
      S               ¯
   ¼
   =  ð x _7U#8     
 X@        "      
 ·
   Ú    1  È   ÿ
      
A r i a l 1  È 
 ÿ¼      
A r i a l 1  È  ÿ
      
A r i a l 1  È  ÿ¼      
A r i a l 1  È   ÿ
      
A r i a l 1  È   
 
   Ì 
A r i a l /   
# , # # 0 " @. " ; \ - # , # # 0 " @. " 9   
# , # # 0 " @. " ; [ R e d ] \ - # , # # 0 " @. " ;   
# , # # 0 . 0 0 " @. " ; \ - # , # # 0 . 0 0 " @. " E    
# , # # 0 . 0 0 " @. " ; [ R e d ] \ - # , # # 0 . 0 0 " @. " k * 3 
_ - *   # , # # 0 " @. " _ - ; \ - *   # , # # 0 " @. " _ - ; _ - *   " - " " @. " _ - ; _ - @ _ - k ) 3 
_ - *   # , # # 0 _ @_ . _ - ; \ - *   # , # # 0 _ @_ . _ - ; _ - *   " - " _ @_ . _ - ; _ - @ _ - { , ; 
_ - *   # , # # 0 . 0 0 " @. " _ - ; \ - *   # , # # 0 . 0 0 " @. " _ - ; _ - *   " - " ? ? " @. " _ - ; _ - @ _ - { + ; 
_ - *   # , # # 0 . 0 0 _ @_ . _ - ; \ - *   # , # # 0 . 0 0 _ @_ . _ - ; _ - *   " - " ? ? _ @_ . _ - ; _ - @ _ -  ¤   "$"#,##0_);\("$"#,##0\)! ¥   "$"#,##0_);[Red]\("$"#,##0\)" ¦   "$"#,##0.00_);\("$"#,##0.00\)' § "  "$"#,##0.00_);[Red]\("$"#,##0.00\)7 ¨ 2  _("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_). © )  _(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)? ª :  _("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6 « 1  _(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)à      õÿ            À à  
   õÿ   ô        À à  
   õÿ   ô        À à     õÿ   ô        À à     õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      õÿ   ô        À à      
             À à   ª õÿ   ø        À à   ¨ õÿ   ø        À à   	 õÿ   ø        À à   « õÿ   ø        À à   © õÿ   ø        À à     
            À  ¬ÿ ¬ÿ  ¬ ÿ ¬ÿ ¬ÿ ¬ÿ â 8     ÿÿÿ ÿ    ÿ    ÿ ÿÿ  ÿ ÿ  ÿÿ ¬    ¬    ¬ ¬¬  ¬ ¬  ¬¬ ÀÀÀ ¬¬¬ ¬¬ÿ ¬ ` ÿÿÀ  àà ` ¬ ÿ¬¬  ¬À ÀÀÿ   ¬ ÿ ÿ ÿÿ   ÿÿ ¬ ¬ ¬    ¬¬   ÿ  Ìÿ iÿÿ ÌÿÌ ÿÿ" ¦Êð ÌSÌ Ì"ÿ ããã 3fÿ 3ÌÌ 3"3 ""3 "f3 "ff ff"  33Ì 3ff  3  33  f3  "3f 33" BBB \      ÿÿÿ     `
   &  
     Sheet1&  S     Sheet2&  i     Sheet3&       Sheet4&  "     Sheet5&  «     Sheet6R    Á
 Á
  T
 ü  
   
     FileError_22001ÿ 
  è	     
   	   u'ÍÁ¬             
   È    
  
   d   
       ü©ñÒMbP?_  
 *    +  
     ¬          %   ÿ   Á    &A 
   Page &P’        M í  X e r o x   P h a s e r   3 1 2 2                               
 Ü ߁

 
 ê
od 
  X 
 X   L e t t e r                                                                           
                             PRIV                                                                                            
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  C o u r i e r   N e w                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          d                                                                                  X  2 2 2 2 2 2 2 2 2   
 2 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         ¡ " 
 d 
 
 
  ,
        à?      à?
 U   }      Û         
     
        
 ÿ      
 ý 
          ×  "     > ¶    @              
   
   

ï    7   
   	   u'ÍÁ¬                   
  
   d   
       ü©ñÒMbP?_  
 *    +  
     ¬          %   ÿ   Á    &A 
   Page &P’        ¡ "    P
 
 
   


      à?      à?
 U                   > ¶     @                   
       ï    7   
   	   u'ÍÁ¬                 0  
  
   d   
       ü©ñÒMbP?_  
 *    +  
     ¬          %   ÿ   Á    &A 
   Page &P’        ¡ "    P
 
 
            à?      à?
 U                   > ¶     @                   
       ï    7   
   	   u'ÍÁ¬                 F  
  
   d   
       ü©ñÒMbP?_  
 *    +  
     ¬          %   ÿ   Á    &A 
   Page &P’        ¡ "    P
 
 
            à?      à?
 U                   > ¶     @                   
       ï    7   
   	   u'ÍÁ¬                 \  
  
   d   
       ü©ñÒMbP?_  
 *    +  
     ¬          %   ÿ   Á    &A 
   Page &P’        ¡ "    P
 
 
            à?      à?
 U                   > ¶     @                   
       ï    7   
   	   u'ÍÁ¬                 r   
  
   d   
       ü©ñÒMbP?_  
 *    +  
     ¬          %   ÿ   Á    &A 
   Page &P’        ¡ "    P
 
 
            à?      à?
 U                   > ¶     @                   
       ï    7   
                                                                                                                                                                                                                                                                                                                                  þÿ  
                 
   à&xòùOh« +'³Ù0   T      
   (      0   
   @      L      ã        Yani i  @   ¬ëËÈOÉ
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   þÿ  
                 
   ÕÍÕS. +,ù®0   à      
   H      P      X      `      h      p   
   x      Â      ã     â
                                     Sheet1    Sheet2    Sheet3    Sheet4    Sheet5    Sheet6            Ëèñòû                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
                        	   
         
            þÿÿÿ                     þÿÿÿ                      þÿÿÿýÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿR o o t   E n t r y                                              
ÿÿÿÿÿÿÿÿ         À      F                    þÿÿÿ        W o r k b o o k                                                  
ÿÿÿÿÿÿÿÿÿÿÿÿ                                        Á        S u m m a r y I n f o r m a t i o n                           ( 

      ÿÿÿÿ                                               D o c u m e n t S u m m a r y I n f o r m a t i o n           8 
ÿÿÿÿÿÿÿÿÿÿÿÿ                                              R o o t   E n t r y                                              
ÿÿÿÿÿÿÿÿ         À      F            pÆÆ!ZÉ
&   ¬
      W o r k b o o k                                                  
ÿÿÿÿÿÿÿÿÿÿÿÿ                                        Á        S u m m a r y I n f o r m a t i o n                           ( 

      ÿÿÿÿ                                               D o c u m e n t S u m m a r y I n f o r m a t i o n           8 
ÿÿÿÿÿÿÿÿÿÿÿÿ                                        X
      
                        	   
         
            þÿÿÿ                     þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿýÿÿÿþÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
               þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿ  
                    ÕÍÕS. +,ù®D   ÕÍÕS. +,ù®$
  à      
   H      P      X      `      h      p   
   x      Â      ã     â
                                     Sheet1    Sheet2    Sheet3    Sheet4    Sheet5    Sheet

Select allOpen in new window

FileError22001Sept-08-GO-s.xls

Do any of you know the root cause -- what malware or other malfunction that caused the problem?

Kaspersky IDs it as a "trojan".  Panda has no information.  Norton, as usual, knows nothing.

wmiller...  that is the first xls file I have seen opened in worpad.  The original file info is not present.  My previous post regarding the first line DOES apply to .jpg and .doc (and .docx) files.

ddmcp2000: I use notepad instead of wordpad as notepad displays the file as it is with no formatting.
I got my usrers office suite working back to normal after I did a virus scan and eliminated what it found, I then uninstalled the office 2003 suite, unde the application folder of document and settings and i delted all the office folders and then reinstalled the office suite. now all new documents created and saved open fine.

I need to find a away to recover the old ones now.

Wes

wmiller:  You are in the same place I am.  I haven't had to re-install or remove any apps, they still work perfectly.  As I find out more, I'll post.

I just found this info:
Malwarebytes (Malwarebytes.org) has a scanning tool that seems to remove the virus, but it does not restore the lost files.
On my machine, the lost files appear to have been relocated in two directories, where they seem to have been scrambled and renamed with the file extension ".fcd". The directories containing these files are:
\Documents and Settings\<username>\Local Settings\Application Data\CDD, and
\Documents and Settings\<username>\Local Settings\Application Data\FLR.
Reference Site: http://www.msofficeforums.com/word/1034-fileerror_22001-new-virus.html
Haven't been able to confirm the above yet as have to get in touch with user to access the machine with issue.

Wes

Wes:  Identical errors and file location moves.  All of my user's files were moved to those very locations.  The file sizes are different, so I can only hope that the information is still there.  I, too, am looking for a possible recovery solution.  Yes, the MBAM does fix the PROBLEM, but does not recover the damage.

I'm ready to reistall the OS on the PC. I removed the problem,but can't find any relocated files.
I want to return the PC to the owner.I backed up the docs to cd.Pdf's are okay.The only other thing I could offer was to save this drive in case the files could be found and recovered if a fix should come upand install a new drive and reistall OS.

The hardest part of computer repair to me is not being able to recover the lost data files.

I will check on any updates to this post and will award points  when we run out of ideas.

Thanks for all the Experts help thus far!

Tom

I confirmed on my users system the above folders exsist, but also found all her files witihin folder also got hit if they were office related or JPG graphic files, the above folders only have 403 MB of files each and she had about 3 GB's of files in my documents so not sure they all got put in there!

She is not Happy had some critical files that are now not accessilbe.
Hopefully indeed a way to recover the documents can be found.

Wes

Wes:  I feel your pain.  Many people are not going to understand that there is only so much that a human, bleeding IT tech can do.  It will also teach her how critical a little step called "backing up" is.  In this case, backing up may not have helped all that much, as I cannot say if this particular malware is memory resident and jumps immediately on EVERY target file or what.  If it does, then backing up might not have fixed all of the issues for her, because once she plugged in a thumb drive or whatever, it may have corrupted those immediately, as well.  Me?  I back up to TWO thumb drives or a redundant network location all really critical files.

I have been scouring the internet, I have emails in to Panda Security, Trend Micro, and Kaspersky (I have clients that use all of these products, so I have paid technical support from all three) to see if there is a solution to this problem.  I will post everything I can once I find it, and hopefully we can address a solution for our customers...  and soon!

I decided to take one last look and found the CDD and the FLR folders  .The files were created at the same time.  I am backing up the files in case they can be converted if a fix is found. The file sizes average around 1.2 meg which could be jpegs.

I have this virus on my computer.  I have removed the infected hard drive and resetup a new hard drive.  I want to copy files off the infected hard drive, but obviously not the virus.  Does this virus have a name?  How is it spread?  Is there a way to check for infection?  

Novice is a generous moniker for me to start.  I contracted the virus Sunday night.  Spent 4 hrs w/ Symantec getting it removed from my laptop yesterday and have been assurred my system is now 'safe'.  Have no idea what we hit to download this but pop-ups for 'Winweb Security 2008' wouldn't stop!  Symantec tech kept assurring me my files were still there in my system thus should be fine.  But, all affected files have been re-configured to about 18 to 20 mb with only the "FileError_22001" message in any of them... xls, doc. j.peg, pwrpt.  Spoke with Dell tech and his quote was, '...extremely nasty virus." and that all affected files had been overwritten and most likely lost and unrecoverable.  Nice optimism.  Have no idea what to do to recover files and yes... a recent backup would have been extremely intelligent and helpful right now.  My wife has told me this many times.  Still obviously looking for help.  Any recommendations short of an FBI lab is appreciated.

Very unfortunate. If any of you with this problem has a sample file where you have both copies, before and after it was damaged (e.g. you may have a good copy from an earlier backup), please post them both here. Preferably select a file that isn't huge. I will be glad to take a look at the extent of the damage, though cannot promise any success, obviously. Also hoping someone else will come up with a fix, so hold on to the damaged files by all means.

There's a similar thread on BleepingComputer. Here's a link in case they find something first.
http://www.bleepingcomputer.com/forums/topic184882.html

I have been working on this since Saturday, with very few answers yet, beyond whats already been posted here. However, I have found one program that will restore most of the files; "Doc Regenerator". They probably created this damn virus!  It is not a perfect program and would be very time consuming looking up and resaving thousands of files, but it is at least a solution in case the CDD and FLR folders cannot be fixed. They offer a free trial and preview, so you can view the files it finds before you pay for anything. It found most of my files, but I'm waiting it out to see if theres an easier solution.

I have backups of files before the virus, and of course copies after the infection.  However all the bad *.jpg files are identical (4,440 bytes) files so I don't think the new file has any of the original files data.

The worst part of this for me is the backup softare I use automatically backs up as I change files.  So my backup has copies after the virus has done its damage.  I can restore older versions, but that requires several click for each file.  

brut50112 - you just said the free trial and preview of  'Doc Regenerator' "...found most of my files..." Was it able to restore them or just find them?  Find them in the free trial and then fix them if you purchased it?  No fix at all?   thanks.

brut50112, and how about a link to the page where we can download that?  These are important things to post, when a possible solution is just around the bend...

Doc Regenerator, has found previous versions of the files before the virus attacked. I am still going through them to see how much can be recovered. It has not recovered some of my more recent work (the stuff I reallly need), but has recovered most stuff that has been on my computer for awhile.

You can preview all the files that it recovers before you pay anything. However, it recovered over 2000 files on my computer, with no way for me to serach for specific files, so I paid the 49.95 and saved them to a file. Now I can search through them. My guess is that anything I created in the last 3-6 months is not recoverable with this program.

There may be better programs, though, Im not sure.

Here's the home page...

http://www.gold-software.com/download563.html

"preview for TEXT documents..."  Otherwise you STILL have no idea whether or not it will actually recover the .doc files, let ALONE all the other files this thing is destroying!

That wasn't terribly helpful...  Anyone else?

Do not click on this link.  I am 99% positive this is where I picked this virus up.  If this will help with the solution, great.  Because I need to recover some files.  I was searching for the soup recipie when I got the virus.  I remembered it very clearly. I Ctl Alt Del to close the window, but still got it.

http://www.almadepoker.com/wp-content/.../chevy-s-recipe-tortilla-soup.html

I was searching for a broccoli cheese soup recipe when a tab of IE looked like it was a windows error message on a windows desktop.  It locked up IE, and I just closed IE, but I still got it also.

As of now, I have been unable to see anything that might indicate a recovery capability.  LiNUX does not see the data, just as does Windows.  A little bit more research (and I apologize, but I had a power failure yesterday afternoon, and I lost the pages I was browsing) seems to indicate that the files are not "corrupted", but rather "encrypted", leaving me with a small glimmer of hope for the recovery of these files.

Tom's search for a "rip-off" recipe, also seems to be a relatively popular method of contraction.

Something I noticed with the CCD and FLR folders is the filenames alternate ie:
fcd6a.fcd is in CCD the file fcd6b is in FLR, ect...
  I opened with Notepad saw nothing, but wordpad shows the below as 1st line rest is unindentifaible:
fcd6a.fcd
wamba0000006eC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt
fcd6b.fcd
wamba0000006eC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Office 2003 Setup(0001)_Task(0001).txt

Just a tid bit of observation, Wes

Bytw: the above to path name refrenced has 2 files in it of the txt with the good old:FileError_22001

Here is my current plan am did a search on the users system of 12/7/2008 for any files that changed on that date when she got hit, and then copied them into a folder so I have them all in 1 location to analyze.

Wes

I am simply amazed that none of the AV companies are even acknowledging this thing for what it is...  Has anybody been able to find info on it even referenced on any of their sites?

willcomp: I checked out that bleepingcomputer site and posted a reply in the thread refrencing a link to here so we can maybe get some collaberation on this!
 I checked trendmicro and symantec the 2 i usuaully depend on for answers and a search for FileError_22001 came up with no results... So unless  they have another moniker to identify it looks like they are clueless.

Wes

Also on my 'Search' I mentioned above I discovered this mongrel hit any TXT, JPG, or Office file matter where located on the C:\ , example: \i386 folder, all it's text files now have: FileError_22001 in them!

I had also checked Symantec and McAfee as well. There's a user group thread on McAfee site that is no help. There's a thread in MS TechNet -- also no help. When I first Googled "FileError_22001" several days ago, there were only a handful of hits. Now there are hundreds. This thing is spreading.

I wonder if this exploit is the delivery mechanism: http://blogs.zdnet.com/security/?p=2283&tag=nl.e550

It would be interesting to know if any OSes besides XP and browsers other than IE are affected ( W2K and IE6 may be vulnerable as well).

on my affected (now safe?) laptop I have a comment from the Symantec tech regarding an 8 or 10 number reference to this virus. Whether or not that will help...it won't hurt. I will head home at lunch and find the reference and post it.  I bet the AV folks know a lot more than they are letting on...  Also have a connection to a pretty sophisicated operation that 'finds' info on computers that people don't want found.  They have asked me to submit numerious files for them to examine... will report any progress.

This new advisory from Microsoft is (I suspect) talking about this same exploit:

  http://www.microsoft.com/technet/security/advisory/961051.mspx

It lists a few things you can do to prevent the problem, but doesn't offer a fix if already affected, unfortunately.

r-k: nope they say:  Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 , My user is using  Internet Explorer   6.0.2900.2180  
In my search I did I found the supposed website that launched the attack on her system:
On 12/7 shows no activity after 7:11 PM then a entry shows up for:
The Imas Ranch Foods, that link launched itself at 10:05 Pm, (http://www.imusranchfoods.com)
then a file called QTFont.for at 10:08 Pm ( See Code Snippet for Notepad look.)
followed by a Rescued Document 1 .txt  at 10:10 Pm ( which hhas the FileError_22001in it)
and then thats when the CDD and FLR folders begin to show files....

Wes

MZ
      ÿÿ  ¸       @                                   ¬   º ´	Í!¸
LÍ!This is a TrueType font, not a program.
 
$ Kiesa NER       ¬                   @ @ t ¬ ¬ 
               ¬
     H 	 P,     ̬
     @  P
¬      FONTDIRQTFont     QTFont.qfn     FONTRES:Sydnie                                                                                                                                                                                                                                 Ã                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Notepad look at QTFont.for :   C:\WINDOWS\QTFont.qfn                                                                                                           
    "   Windows! Windows! Windows! 

                             @èH H H      
   ðï
Lÿ
      v      ØSydnie Sydnie Regular                                                                         
                     

Select allOpen in new window

image001.png

I had a program written to find the infected files as a tool to know which files I need to restore.  All this program does is find JPG, XLS, TXT, and DOC files that are an exact size match for the junk files the virus replaces your files with.  In my situation the infected jpg files were all 4440 bytes, xls were all 18432 bytes ect...  

I have attached the search program and its source code to this comment.  All it does is find files that match the size of the bad files and list them in a list box.  You can double click on the files to open them, or right click to get properties.  It does not repair or decrypt the good files hidden under user profiles.  If for some reason your bad files are not the same size as mine you can change the byte size so it can find them.  Since my backup had a few of the infected files I needed an easy way to find them so I knew which ones I needed to restore an older version of.

I guess I can't attach a zipped exe.  I have renamed all the files to JPG with a descripton of what to rename them to in the name.  The search prgram is in the release folder and needs to be renamed to an exe like search.exe
Seach.zip

Does anyone know if this thing  attacks files on drives other than C: (e.g. D: drive, network shares etc.)?

FWIW seaching for fileerror_22001 on Google brought up 900+ matches yesterday, 1300 today, so it's definitely out there, and for 2 weeks now, apparently. The silence from major AV vendors is very odd, probably they don't have a handle on it. Read someplace that it deletes itself after corrupting the files, so no trace left behind.

If it's the same thing that Microsoft is working on then it also impacts Vista. They have update that page (http://www.microsoft.com/technet/security/advisory/961051.mspx) to now also include IE 5 and 6 and even 8, and say that it can affect "all supported versions of Windows", so I do think it is the same thing as what we have here.

There are some hints it could be this exploit:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123179

This thing is driving me nuts...  I guess for now, (until SOMEBODY sees this malicious thing for what it is...) all we can tell anybody is this:

1:  Use safe browsing and email techniques.
2:  Make certain your PC is updated - Thank you, again, M$.
3:  Use a respectable antivirus, and be sure it is updated!
4:  Save your word docs (undoubtedly the most common of the Office applications) as .rtf files.  (The .rtf files APPEAR to be immune.)
5:  Save your graphics jobs as .bmp or .gif
(Again, these formats appear to be immune)
6:  Switch to Ubuntu!  (Only *half* kidding about this one.)

I'm not sure an updated AV program will intercept this one. Hopefully, MS will issue an out of band patch when one is available. We still don't know if the latest IE exploit is the transfer mechanism though.

In the interim, I'd suggest backing up files to removable media and using FireFox.

ddmcp2000,

I am afraid 1,2,and 3 won't help you.  I had alll updates antivirus, and was browsing a cooking recipie website when I got it.  I think the removable media backup is the best protection right now.  

For real safety install Virtual PC and install an OS in there to do internet surfing so the real pc is protected and only the virtual PC would get hit.....

Wes

I have a system with files located on a network Share, mapped to the users system with infected files.  It appears that it can infect both local and mapped locations.

Does anyone have a website where I can infect a virtual pc with this virus.  I am paying a programmer to see if he can reverse the damage to the files.  I have not tried the link above, but the programmer says it is dead.  

Not to put you guys off or anything , But I discovered a similar Trojan in the wild a few years back, what it did ,is once executed it will search for files with extensions .doc, .txt,.xls,.mp3,.ppt,.pdf,.csv, Mdb etc.. both on local hard drives & on writable network shares  then simply overwrote them with a dummy file multiple times to ensure no recovery can help., there was no backup routine, the thing was built to destroy files , what you people should do is to just submit the file or any suspect files of the binaries of this malware to all major Antivirus companies , then once they get itthey should include it in the definitions & give it a fancy name, the one I got was titled W32.killfiles.n which you should guess what it does by now .
http://www.kaspersky.com/scanforvirus
http://www.symantec.com/business/security_response/submitsamples.jsp
http://www.f-prot.com/virusinfo/submission_form.html
http://support.microsoft.com/kb/921161  (once MS get this one , they should include cleanup & detection to Defender,onecare & Malicious software removal tool)
The different thing here is that this one actually uses a Zero day exploit to move around , which is a very malicious type of attack, it looks as if the attackers are trying to  to spite Microsoft !, by destroying files of Windows / IE users, Please ensure you are patched up against those IE related vulnerabilities, as both are related to Remote code execution & it is more than likely they came through one of them.
please use windows update as needed.
http://go.microsoft.com/fwlink/?LinkId=130478
http://go.microsoft.com/fwlink/?LinkId=133437
http://go.microsoft.com/fwlink/?LinkId=125440
Also internet explorer settings should be always set to HIGH & active content blocked for the time being till this clears out.
Finally your friend here is backup, you can try Data recovery software to restore files, but the longer this takes the harder the files will be to recover .
Good luck everyone .

Tom_Hickerson: : go here to get the microsoft viortual pc: http://www.microsoft.com/downloads/details.aspx?familyid=04D26402-3199-48A3-AFA2-2DC0B40A73B6&displaylang=en
then install and do your testing.
Wes

Admin3k: Not put off as alot of Virus's are often morph's from a previuos virus that someone has taken and manipulated to make it better or worse then it was before depending on you viewpoint.
 If you read this thread the 'key' it seems to be with this virus seems to be the fact that the files afffected all were replicated as files with .fcd extension in other folders within Local_Settings , and I myself am dealing with a user who has this not myself.

My user is clean so unable to helpt the Antivirus companies who on my take should have the intiative themselves to contract the virus to find a soultion, they get paid for that service I don't!

Backup is indeed a friend, but after the fact and when the damage is done is to late....

Far as IE settings you live in adrwam world and most 'Work' sites that userrs need to go to do a job to make a living requires a 'Medium' security setting or that can't do what they nee to  be productive and thus earn a paycheck...Hello Reality Check Here!

I just used an old app I had on hand called inside out to view this file:
C:\I386\COMPDATA\XEROX1.TXT ( Which is common on all OEM XP Pro installs so this is what is was:
The following Xerox printer, which might have been installed on your system, will not function properly under Microsoft Windows XP using the printer driver that is currently installed:

Xerox  DocuPrint P12

You can replace the driver with an updated version, or Windows XP Setup will install a compatible driver.

To obtain a more recent version of this printer driver, visit the manufacturer's Web site at http://www.microsoft.com/isapi/redir.dll?prd=whistler&ar=Printing&O1=xerox. Web addresses can change, so you might be unable to connect to this Web site.

Now here is how it appears as fcda8b.fcd :
Normal View:
wamba00000039C:\I386\COMPDATA\XEROX1.TXT°&\#¦àöÇîhêÆSÇtf++kgÆfeñdåæ{ôìwR6’ù+-ás++_°’{_¿òhF---Ʀ,&¦t9jGæ{L$îjk\síù%îüjF:ë£U¿      3+ë¦T+Sh¦ôüG¦£¥6ïÜOçSµ¦r9¼\A¯ê¦`H¼FV»=S`ÉêìÜ%«ü~p+ù8+IÜ~¦P’++!á3¦";Öziqa¦¦*ê&ñÅ8¿>=#+{¡7;¦i=¿£+ó-
æW+Vo/ïdO#’w÷½éº#ZS¦ ¦¦=Or5¦.+ ¼·)4m7ô¦]«ïs:lC|{¦Oô»+¦\ö1Y*>cQq++ó¦Å·y_+YßB,’¦{-üàïÖ¦%)+{"+¼A/7¦ºF0¦¦í O+-¼Dïæ:çKº%¼Z-¦PA+?^Jñ+6qú¦£+óì¦B)¦;F+·-b.:a=++·±¦k++
`d¦ò+í-8ɦ+RX<]Qìé(]=fcSre+E--:(^\Ç+f¦=V+t[9`î<th-Y+_g+\
A3â¥/¦ÿ+1+BEwE¦ûÖ%T-¦ëP-yÄúw·¯KtL+æ»;Bñ'lfô¦-|w¦¬E +o).7epd++q#ì+q¦uW?C+e.g²e/T÷çlF+vmâ«+£-ªfü¦¦dK=Å<+H\ª9½n-<
Ascii View:
wamba00000039C:\I386\COMPDATA\XEROX1.TXT°&\#¦àöÇîhêÆSÇtf++kgÆfeñdåæ{ôìwR6’ù+-ás++_°’{_¿òhF---Ʀ,&¦t9jGæ{L$îjk\síù%îüjF:ë£U¿      3+ë¦T+Sh¦ôüG¦£¥6ïÜOçSµ¦r9¼\A¯ê¦`H¼FV»=S`ÉêìÜ%«ü~p+ù8+IÜ~¦P’++!á3¦";Öziqa¦¦*ê&ñÅ8¿>=#+{¡7;¦i=¿£+ó-
æW+Vo/ïdO#’w÷½éº#ZS¦ ¦¦=Or5¦.+ ¼·)4m7ô¦]«ïs:lC|{¦Oô»+¦\ö1Y*>cQq++ó¦Å·y_+YßB,’¦{-üàïÖ¦%)+{"+¼A/7¦ºF0¦¦í O+-¼Dïæ:çKº%¼Z-¦PA+?^Jñ+6qú¦£+óì¦B)¦;F+·-b.:a=++·±¦k++
`d¦ò+í-8ɦ+RX<]Qìé(]=fcSre+E--:(^\Ç+f¦=V+t[9`î<th-Y+_g+\
A3â¥/¦ÿ+1+BEwE¦ûÖ%T-¦ëP-yÄúw·¯KtL+æ»;Bñ'lfô¦-|w¦¬E +o).7epd++q#ì+q¦uW?C+e.g²e/T÷çlF+vmâ«+£-ªfü¦¦dK=Å<+H\ª9½n-<
Hex View:

 49 33 38 36 5C 43 4F 4D - 50 44 41 54 41 5C 58 45   I386\COMPDATA\XE
 52 4F 58 31 2E 54 58 54 - 00 F8 26 5C 23 B0 85 94   ROX1.TXT..&\#...
 80 8C 68 88 92 53 80 1F - 1C E7 66 BF C9 6B 67 92   ..h..S....f..kg.

 66 65 A4 17 EB 86 91 07 - 7B 93 8D 77 52 36 9F 97   fe......{..wR6..
 C8 C4 A0 E5 D9 02 CE 5F - F8 9F 7B 5F A8 95 68 46   ......._..{_..hF
 C4 CA C2 92 C7 2C 26 CC - 74 39 6A 47 91 7B 19 14   .....,&.t9jG.{..

 4C 24 8C 6A 6B 5C 73 A1 - 97 25 8C 81 1E 6A 46 06   L$.jk\s..%...jF.
 3A 89 9C 55 A8 09 33 C3 - 89 B9 E9 C8 E4 68 B6 14   :..U..3......h..
 93 81 E2 DB 9C 9D 07 07 - 36 8B F7 EA 08 87 53 E6   ........6.....S.
 B1 72 39 AC 5C 41 0F DF - 88 B6 60 48 AC E8 56 AF   .r9.\A....`H..V.

 F3 0E 53 60 90 88 8D 9A - 25 1C AE 81 7E E3 BD 97   ..S`....%...~...
 EC DA 19 49 F7 7E B2 50 - 9F D5 D8 21 A0 33 B1 22   ...I.~.P...!.3."
 3B 99 7A 69 71 61 B1 B6 - 2A 88 26 0C A4 8F 38 A8   ;.ziqa..*.&...8.

 3E F3 23 CE 7B AD 37 3B - C7 69 0F F2 A8 9C 15 D3   >.#.{.7;.i......
 A2 13 1A C4 0A 91 01 57 - 02 D5 56 6F 19 2F 8B EB   .......W..Vo./..
 06 04 0E EA 23 9F 77 F6 - AB 82 A7 23 5A E4 C6 20   ....#.w....#Z..

 B2 B3 13 18 F2 EA 72 35 - C7 2E C8 20 AC FA 29 19   ......r5... ..).
 34 1C 6D 37 93 C6 5D 1F - AE 12 8B E5 3A 6C 43 7C   4.m7..].....:lC|
 18 7B DD 08 EA 93 AF D3 - B4 5C 94 31 59 2A 1D 3E   .{.......\.1Y*.>
 63 51 71 D4 01 C3 A2 C7 - 8F F9 79 5F C9 13 1B 59   cQq.......y_...Y

 E1 42 2C 9F B6 7B C4 81 - 85 8B 99 BA 25 29 D6 7B   .B,..{......%).{
 22 BF AC 41 2F 37 B9 A7 - E8 30 B3 B3 A1 FF EA C0   "..A/7...0......
 CD AC 44 8B 91 3A 87 4B - A7 25 AC 5A 2D B9 9E 41   ..D..:.K.%.Z-..A

 B7 3F 18 0C 5E 4A A4 BE - 36 12 71 A3 DE 9C D7 A2   .?..^J..6.q.....
 8D DE 42 29 C6 3B 46 B8 - FA CD 62 2E 3A 61 F2 D8   ..B).;F...b.:a..
 C3 04 FA F1 DE 6B C5 C9 - 0D 08 60 EB 18 C7 95 BB   .....k....`.....

 A1 CB 38 90 B6 D3 52 58 - 3C 5D 51 8D 04 82 13 F4   ..8...RX<]Q.....
 5D F2 ED 63 E4 72 65 C8 - 45 C4 D1 07 3A F4 1A 5E   ]..c.re.E...:..^
 5C 80 D5 66 11 B1 F3 56 - 12 C0 74 5B 39 60 8C 3C   \..f...V..t[9`.<
 E7 68 CB 01 59 B8 DC 67 - BE 5C 0D 41 33 02 83 9D   .h..Y..g.\.A3...

 03 2F BA 98 D6 31 D9 42 - 45 77 45 B0 96 99 04 25   ./...1.BEwE....%
 E9 D2 16 B1 89 9E CF 79 - 8E A3 77 FA DF 4B 74 4C   .......y..w..KtL
 B7 91 AF 3B 42 A4 27 6C - 66 93 FE 01 0C CA 7C 77   ...;B.'lf.....|w

 06 DB 05 A9 45 20 C0 6F - F5 2E 37 65 E3 64 D8 C0   ....E .o..7e.d..
 08 71 23 8D 2B 71 14 C7 - 75 57 16 3F 43 DA EE 2E   .q#.+q..uW.?C...
 67 0F FD EE 13 2F E9 F6 - 87 6C E8 C5 76 6D 83 AE   g..../...l..vm..

 2B 1F 9C D1 A6 ED 81 DE - B5 EB 4B 3D 8F 3C D3 48   +.........K=.<.H
 5C A6 39 AB 6E C1 3C 06 - 1E                        \.9.n.<..      

fcda8c.fcd looks similar:
wamba00000039C:\I386\COMPDATA\XEROX1.TXT°&\#¦àöÇîhêÆSÇtf++kgÆfeñdåæ{ôìwR6’ù+-ás++_°’{_¿òhF---Ʀ,&¦t9jGæ{L$îjk\síù%îüjF:ë£U¿      3+ë¦T+Sh¦ôüG¦£¥6ïÜOçSµ¦r9¼\A¯ê¦`H¼FV»=S`ÉêìÜ%«ü~p+ù8+IÜ~¦P’++!á3¦";Öziqa¦¦*ê&ñÅ8¿>=#+{¡7;¦i=¿£+ó-
æW+Vo/ïdO#’w÷½éº#ZS¦ ¦¦=Or5¦.+ ¼·)4m7ô¦]«ïs:lC|{¦Oô»+¦\ö1Y*>cQq++ó¦Å·y_+YßB,’¦{-üàïÖ¦%)+{"+¼A/7¦ºF0¦¦í O+-¼Dïæ:çKº%¼Z-¦PA+?^Jñ+6qú¦£+óì¦B)¦;F+·-b.:a=++·±¦k++
`d¦ò+í-8ɦ+RX<]Qìé(]=fcSre+E--:(^\Ç+f¦=V+t[9`î<th-Y+_g+\
A3â¥/¦ÿ+1+BEwE¦ûÖ%T-¦ëP-yÄúw·¯KtL+æ»;Bñ'lfô¦-|w¦¬E +o).7epd++q#ì+q¦uW?C+e.g²e/T÷çlF+vmâ«+£-ªfü¦¦dK=Å<+H\ª9½n-<
Ascii:
wamba00000039C:\I386\COMPDATA\XEROX1.TXT°&\#¦àöÇîhêÆSÇtf++kgÆfeñdåæ{ôìwR6’ù+-ás++_°’{_¿òhF---Ʀ,&¦t9jGæ{L$îjk\síù%îüjF:ë£U¿      3+ë¦T+Sh¦ôüG¦£¥6ïÜOçSµ¦r9¼\A¯ê¦`H¼FV»=S`ÉêìÜ%«ü~p+ù8+IÜ~¦P’++!á3¦";Öziqa¦¦*ê&ñÅ8¿>=#+{¡7;¦i=¿£+ó-
æW+Vo/ïdO#’w÷½éº#ZS¦ ¦¦=Or5¦.+ ¼·)4m7ô¦]«ïs:lC|{¦Oô»+¦\ö1Y*>cQq++ó¦Å·y_+YßB,’¦{-üàïÖ¦%)+{"+¼A/7¦ºF0¦¦í O+-¼Dïæ:çKº%¼Z-¦PA+?^Jñ+6qú¦£+óì¦B)¦;F+·-b.:a=++·±¦k++
`d¦ò+í-8ɦ+RX<]Qìé(]=fcSre+E--:(^\Ç+f¦=V+t[9`î<th-Y+_g+\
A3â¥/¦ÿ+1+BEwE¦ûÖ%T-¦ëP-yÄúw·¯KtL+æ»;Bñ'lfô¦-|w¦¬E +o).7epd++q#ì+q¦uW?C+e.g²e/T÷çlF+vmâ«+£-ªfü¦¦dK=Å<+H\ª9½n-<
Hex:
:   77 61 6D 62 61 30 30 30 - 30 30 30 33 39 43 3A 5C   wamba00000039C:\
:   49 33 38 36 5C 43 4F 4D - 50 44 41 54 41 5C 58 45   I386\COMPDATA\XE
:   52 4F 58 31 2E 54 58 54 - 00 F8 26 5C 23 B0 85 94   ROX1.TXT..&\#...

:   80 8C 68 88 92 53 80 1F - 1C E7 66 BF C9 6B 67 92   ..h..S....f..kg.
:   66 65 A4 17 EB 86 91 07 - 7B 93 8D 77 52 36 9F 97   fe......{..wR6..
:   C8 C4 A0 E5 D9 02 CE 5F - F8 9F 7B 5F A8 95 68 46   ......._..{_..hF

:   C4 CA C2 92 C7 2C 26 CC - 74 39 6A 47 91 7B 19 14   .....,&.t9jG.{..
:   4C 24 8C 6A 6B 5C 73 A1 - 97 25 8C 81 1E 6A 46 06   L$.jk\s..%...jF.
:   3A 89 9C 55 A8 09 33 C3 - 89 B9 E9 C8 E4 68 B6 14   :..U..3......h..
:   93 81 E2 DB 9C 9D 07 07 - 36 8B F7 EA 08 87 53 E6   ........6.....S.

:   B1 72 39 AC 5C 41 0F DF - 88 B6 60 48 AC E8 56 AF   .r9.\A....`H..V.
:   F3 0E 53 60 90 88 8D 9A - 25 1C AE 81 7E E3 BD 97   ..S`....%...~...
:   EC DA 19 49 F7 7E B2 50 - 9F D5 D8 21 A0 33 B1 22   ...I.~.P...!.3."

:   3B 99 7A 69 71 61 B1 B6 - 2A 88 26 0C A4 8F 38 A8   ;.ziqa..*.&...8.
:   3E F3 23 CE 7B AD 37 3B - C7 69 0F F2 A8 9C 15 D3   >.#.{.7;.i......
:   A2 13 1A C4 0A 91 01 57 - 02 D5 56 6F 19 2F 8B EB   .......W..Vo./..

:   06 04 0E EA 23 9F 77 F6 - AB 82 A7 23 5A E4 C6 20   ....#.w....#Z..
:   B2 B3 13 18 F2 EA 72 35 - C7 2E C8 20 AC FA 29 19   ......r5... ..).
:   34 1C 6D 37 93 C6 5D 1F - AE 12 8B E5 3A 6C 43 7C   4.m7..].....:lC|
:   18 7B DD 08 EA 93 AF D3 - B4 5C 94 31 59 2A 1D 3E   .{.......\.1Y*.>

:   63 51 71 D4 01 C3 A2 C7 - 8F F9 79 5F C9 13 1B 59   cQq.......y_...Y
:   E1 42 2C 9F B6 7B C4 81 - 85 8B 99 BA 25 29 D6 7B   .B,..{......%).{
:   22 BF AC 41 2F 37 B9 A7 - E8 30 B3 B3 A1 FF EA C0   "..A/7...0......

:   CD AC 44 8B 91 3A 87 4B - A7 25 AC 5A 2D B9 9E 41   ..D..:.K.%.Z-..A
:   B7 3F 18 0C 5E 4A A4 BE - 36 12 71 A3 DE 9C D7 A2   .?..^J..6.q.....
:   8D DE 42 29 C6 3B 46 B8 - FA CD 62 2E 3A 61 F2 D8   ..B).;F...b.:a..

:   C3 04 FA F1 DE 6B C5 C9 - 0D 08 60 EB 18 C7 95 BB   .....k....`.....
:   A1 CB 38 90 B6 D3 52 58 - 3C 5D 51 8D 04 82 13 F4   ..8...RX<]Q.....
:   5D F2 ED 63 E4 72 65 C8 - 45 C4 D1 07 3A F4 1A 5E   ]..c.re.E...:..^
:   5C 80 D5 66 11 B1 F3 56 - 12 C0 74 5B 39 60 8C 3C   \..f...V..t[9`.<

:   E7 68 CB 01 59 B8 DC 67 - BE 5C 0D 41 33 02 83 9D   .h..Y..g.\.A3...
:   03 2F BA 98 D6 31 D9 42 - 45 77 45 B0 96 99 04 25   ./...1.BEwE....%
:   E9 D2 16 B1 89 9E CF 79 - 8E A3 77 FA DF 4B 74 4C   .......y..w..KtL

:   B7 91 AF 3B 42 A4 27 6C - 66 93 FE 01 0C CA 7C 77   ...;B.'lf.....|w
:   06 DB 05 A9 45 20 C0 6F - F5 2E 37 65 E3 64 D8 C0   ....E .o..7e.d..
:   08 71 23 8D 2B 71 14 C7 - 75 57 16 3F 43 DA EE 2E   .q#.+q..uW.?C...

:   67 0F FD EE 13 2F E9 F6 - 87 6C E8 C5 76 6D 83 AE   g..../...l..vm..
:   2B 1F 9C D1 A6 ED 81 DE - B5 EB 4B 3D 8F 3C D3 48   +.........K=.<.H
:   5C A6 39 AB 6E C1 3C 06 - 1E                        \.9.n.<..      


Wes

Wes...

What can anybody do with that?  The info is the same, just dumped to a hex...  Is that one of the broken files?  Is that the Xerox print driver?

A little more info would be helpful.

ddmcp2000:
The First is the Actual Text file
The Second is    fcda8b.fcd
The Third is           fcda8c.fcd

What can someone do with it?
  Ever see the Movie Jurrasic Park.....
Its the file DNA so maybe someone can see the pattern to unscramble back into the original file.

I have been working on it myself trying to find the pattern or key to mergre the too or what ever needs to be done to no avail so am seeing if others maybe see something I am missing....
Is the way you hack at something look for the weak point that lets you in....
       

What I have found is this.  Any file that had a "." (DOT) in the file name was immune.  For instance:
ABC Company Inc. Proposal.doc.  Was not affected.  The virus must look for the 1st DOT and then to the right of that.  In this case it was " Proposal.doc".  So the bottom line is add a DOT to your file names.  It is a minor modification to your file naming conventions, but could save you big in the future.  it's better than removable media.  Eventually RTF's and BMP's will be targeted.  However, random DOTs in a file name will be much harder to target.

mbrennan_pacbell_net: said:
"...So the bottom line is add a DOT to your file names.  It is a minor modification to your file naming conventions, but could save you big in the future.  it's better than removable media.  Eventually RTF's and BMP's will be targeted.  However, random DOTs in a file name will be much harder to target."  
Are you saying i need to go in and re-name all files to innoculate myself from this virus?  Is there a simple way, like amending a folder title to reject the virus, instead of renaming all my files wth a "." (Dot) in them?  

1:  At a command prompt, navigate to the folder where all of your documents are stored.
2:  Type "ren *.doc *.do.c" (without the quotes, of course) <enter>
3:  Repeat for all the desired filetypes, (.txt, .pps, .jpg, etc.) if others exist within that directory
4:  Back in windows, re-associate the new file extension with MSWord, notepad, Powerpoint, etc.
5:  Enjoy your new safety!  :)

:::::ADDENDUM:::::
An easy way to get to the desired folder...  Go to Microsoft's website, and download and install the "Command Prompt Here" Power Toy.  You'll probably need to use it more often than you think!

Well since this issue seems to be quietly occuring I just filed a report to US-CERT Incident ID number is:
2008-USCERTv32I1WC6 ,  See:http://www.us-cert.gov
 I am suprised they don't have anything about this issue occuriing seeing how quite a few got attacked by it so will see if they report on it now that a report has been field.

Wes

I believe this is exploiting the same vulnerability explained in the following links:

http://www.microsoft.com/technet/security/advisory/961051.mspx
http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx
http://blogs.technet.com/mmpc/default.aspx

There is still no patch from MS, as far as I know, and no relief for anyone already impacted.

My advice would be to (for those not affected already):

(a) Make a good backup or two on a drive that is not permanently mapped or mounted on your system.
(b) Use Firefox for now where practical.

The workarounds suggested by MS for IE are either impratical or too cumbersome, and it looks like all versions of Windows including Vista and most versions of IE are vulnerable.

Renaming files is probably not the way to go.

For those still following this thread, MS is releasing a patch tomorrow (Dec. 17) to fix this vulnerability, as best as I can tell. See this link:

  http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

Applies to pretty much all supported versions of Windows and IE.

Related story here:

  http://isc.sans.org/diary.html?storyid=5470

Patch is great, how about information about a fix???

The Patch was released late yesterday 

http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

Exact link to make things easier, this particular one was released an out-of-Band security bulletin.

http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx

Sorry for the multiple posts.
here is the associated KB article 
http://support.microsoft.com/kb/960714

Hey there,
 
I have a system here that has been infected with that "virus". Is there anyone that has been able to detect this virus or clean the infection? I ran Full scans of Symantec End point protection / MBAM / SybotS&D nothing was found.
The only thing that align with this virus is 2 detections from Symantec the same night that the virus hit, a file called "file[1].pdf" and "AcrE8D9.tmp" detected as Bloodhound.Exploit.196 ....

anyone has seen the same behavior at approximately the same time stamp the documents were wiped?

thanks

@aarcand, if you are able to get copies of those two infected files ( symantec Quarantine maybe?) , I suggest you make sure this has been submitted to all major Antivirus companies, , the Bloodhound detection by symantec is a generic detection by the heuristic scanner module, the files in question have a malicious behaviour and contain code that is deemed to be unsafe by the scanner engine , you can also scan it online at www.virustotal.com to check which engines are detecting them, perhaps if the threat was properly identified a recovery solution or a fix to undo the damage done can be creaed by one of the AV vendors.

I have just downloaded it. Trying it right now. It looks promising, files are getting decrypted and restored on the desktop. The application states it decodes Trojan.Encoder.33 files.

after running the fix i noticed it created all files twice.

doc1.doc
doc1.doc0

doc1.xls
doc1.xls0

etc. Anyone saw this behavior? It might be related to the user moving folders around in panic... Since no folders existed, everything was dumped on desktop.

Anyhow this tools did fix it and files are now available.

Excellent news :)

Direct link  ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe

Any indications on recovering jpeg or power point files?  I hope to be a novice one day... is the proceedure pretty straight forward to download and apply the fix?  Thanks

Just downloaded and ran the Dr.Web program.  Appears to not only restored the .doc and .txt files but also the jpeg and power point files also.  Still searching to discover any missing files but so far looks like 90% recoverded at a minimum.  Thanks barnettmnljs for finding this and sharing the info!!!  Great Christmas present after a rough post-Thanksgiving weekend!  Oh, backing up now!!!!

Please help, I have clicked the link but it says after running it that " no first key found, pc not infected" I had the same error, as every one else and lost all my word and jpeg files. Any help would be greatly appreciated. I am not the greatest when it comes to computers, but I get by most times! thank you!!!
Christine

aarcand noted that the restored files were copied to the desktop.  I have seen the same thing.  Any detriment to deleting these icons or should I move them into a storage folder on my desktop to clear it up?

@Christinemc : it appears the program will only undo the damage only if the infection was active, if the trojan was already removed from registry the fix will not work, most likely because it retrieves the Encryption key from there .
Please refer to this thread 
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=27053

Okay I downloaded : Direct link  ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe
 and ran and got the attached..... Which is system not infected, but course that meands i can't revocer the encrypted files.... I am hoping it is still possible, maybe someone can export the registry keys it looks at and provide them so those of us that removed the virus can still revocer the files?

Thanks Wes
DrwebMessageErro22001.png

Let me know if my logic is wrong... @Christinemc & @Wmiller could not get the Dr.Web to work because it belived their systems were not 'infected'...correct?  Does that mean that since Dr.Web was able to run and restore my files that my system IS still infected?  Do I need to take additional precautions against this challenge?  is the virus simply sleeping somewhere in my system for later release again?  

TO Dragonkillers:
I have deleted the extra copies the fix has created and i still can access the original files. I don't see any reason to keep the copies.

On another note, Dragonkillers has a good concern here. I don't think my system is still infected but if the
tool does not run when a system is not infected it raises questions.

Ill try to find a removal tool for  Trojan.Encoder.33  and run it and post the results.

@Dragonkillers : you have a valid point here, this is the first thing I thought of , which is to export the registry keys from an infected machine & import them on another that needs recovering the files, but there are two issues with this scenario.
1- There is very little known about the technical specs of this trojan, I am yet to see an infected machine first hand , so info about the registry keys it creates is unknown so far.
a translated page from russian has the best details about it , but not the needed info
http://translate.google.com/translate?hl=en&ie=UTF-8&u=http%3A%2F%2Fitnews.com.ua%2F45742.html&sl=ru&tl=en&history_state0=&swap=1&swap=1&swap=1
2- what if the Encryption key was unique to each machine ?, what if it was even random each time it occurs ? , this makes sense , because if Drweb analysts found a standard registry entry with a standard encryption key, there would be no need for the existence of the registry keys or an active infection in order to decrypt the files.
another thing to suggest there is no Master key , is that this trojan does not behave like the previous ones from this family labeled as (Ransomware) , where there is a message displayed to he user asking them to contact the malware author to purchase a key to decrypt the files.
I am not advising this , but  if this is indeed the case , the only method I can think of right now  to solve this problem is to simulate the steps that caused the infection ( suspicious websites ,etc..) , it appears the trojan will not carry its encryption routine unless it is able to contact a certain server, so blocking all outbound connections while visiting the website is a good idea. 
also using a Sandbox application for IE can help a lot avoiding the damage while we will still be able to monitor the reg keys in question,Something like Sandboxie should do the trick here 
http://www.sandboxie.com/index.php?DownloadSandboxie
that or of course contacting your Antivirus support to confirm the needed registry entries and whether they are unique to each machine or not.

Good luck all recovering your files.

@Admin3k, thanks for the advice but you are so far over my head my 8yr old is having to explain it to me!  I have family in the DEA who have had their "spooks" (his term) working on this problem.  He said they found this 'fascinating'.  I sent him a flashdrive with numerous good and affected files along with this thread to see what they can determine.  will post whatever they share also unless they do so first.  At least if this virus activates again, we seem to have a system to repel its effects.  Still a pain but solveable.  Thanks again for your expertise.  
@Aarcand, thanks for the advice also.

I ran the cureIt from DrWeb. It found 1 infected file in my system restore which i left enabled intentionally. This did switched a light on when i saw this. see below.
Note that i do not recommend the solution below as i have not tried it myself and do not know of the effects it could have on the "infected/non infected files"... but if someone can try it on a VM or something and let us know the results, it would be great.

Also, does anyone know where in the registry the "decryption key" is located?

For those who are not infected but damage was done:
Has anyone though of using system restore to restore to a previous date where the registry key was there and the system was infected ?

of course, usually when you cure a system from a virus you disable the system restore but in some case it might have been forgotten.

Still not sure this will enable you to decrypt the files but it might be something to try in a sandbox.

Anyone think this would be a possible avenue to look at?

I don't have access to an infected machine but have been following this thread.

For those of you who have lost important files due to this problem, my advice would be to do as little as possible to the original disk, i.e. don't attempt clean-up. If your files are important enough, get the help of a qualified person, or just wait a bit until the dust settles. If possible make a clone of the affected disk and work on that.

In case the recovery key is missing from the Registry, note that there my be copies of the old version of the Registry in the Windows "restore points", and the recovery key may be there someplace.

From all indications the mere presence of the registry key does not indicate a lingering infection. From what I have read here and elsewhere this virus deletes itself after encrypting files, leaving the encryption key behind in the Registry.

Again, I am surmising this from what others have posted.

FYI,
       
i had posted the same suggestion about system restore on
http://www.msofficeforums.com/word/1034-fileerror_22001-new-virus-4.html 
Someone tried that already and didnt work. see below.

======================
Quote:
Originally Posted by aarcand  
Has anyone though of using system restore to restore to a previous date where the registry key was there and the system was infected ?

of course, usually when you cure a system from a virus you disable the system restore but in some case it might have been forgotten.

Still not sure this will enable you to decrypt the files but it might be something to try.

Anyone think this would be a possible avenue to look at?
======================
System Restore does not restore your document/data files - it affects systems files only. I did try to system restore to before I cleaned the virus(So I could possible have the encrypt key) but I got a message that it could not restore that restore point. After trying restore a couple different days with no luck I gave up.

I would think Microsoft would step up and try to help in this since this virus was obviously targeted to their users mainly, and their IE Vulnerability was the cause. They are being awful quiet about it.

Okay, When I posted the above I didn't realize I ran it on my system rather then the users systm using the remote tool Goverlan, Anyways I retried it again making sure I was on her system and Success the Decrypt program worked and it recovered all her files and even put them back in the orginal locations, took about a 1/2 hour....I snapped some screen shots of its process which are attached.....
 While it ran I snooped ,but could obtain no details of what it was doing just that the scrambled files were beginning to be restored....

Wes
FlowersFileDecrypt1.JPG
FlowersFileDecrypt2.JPG
FlowersFileDecrypt3.JPG
FlowersFileDecrypted4.JPG
FlowersFileDecrypted5.JPG
FlowersFileDecrypted6.JPG

I beleive that the recipeint of the points here should go to: barnettmnljs

I'd give him all the points as his response allowed the files to be recovered!

I Bow to him and Shake his Hand in Gratitude and
Present him with the Spagehtti Monster Award!

This issue was an example of Team Work at it's Best : Wes


Spaghettiwarp.jpg

I Agree,

Thank You Everyone!

Great Work
Thank You

Ok, Since the dr.web did not work on my system to restore the corrupt files. Is there any possible solution here that I might be missing to get those files back. Or are they lost for good now. Thanks and sorry I know this disscussion is closed. But I am still very lost. Christine.

Depending on the value of your files, you could try one or more of the following:

(1) make a clone of your hard drive to another drive so no further damage results.
(2) contact the people at dr.web to see if they have a workaround.
(3) consult a knowledgeable friend or local expert to guide you through this.
(4) monitor this and other forums to see if a solution is found.