#16
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    2
    Rep Power
    0

    Use ComboFix.exe


    I had the same infected. Ran the gamut of programs, but this is the only one that worked. Files are still showing as corrupted, but that is a different battle now. Watch out for the Vundo virus, that is were I get mine from.
  2. #17
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    3
    Rep Power
    0

    Combofix didn't work for me


    I used combofix as well. I am still getting the pop-ups on the bottom right of my taskbar. Nothing so far has completely removed it.
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    1
    Rep Power
    0
    Just read about this from another tech. While he does not have fix yet, he said if you can recover a document at a time if you install the program but not pay. Here are his comments. (Newest to oldest.)

    The link on the fake popup brings you to a page to download the FileFixerPro application. When you download it, it is in Trial Mode, which allows you to decrypt one file at a time (I guess to assure you it works). To do a whole bunch of files, you need to pay. That’s what I meant by trial version.
    Oh, and yes, we tried to batch the trial version to do all the files, to no avail.


    We found this virus because a student came in with a 22-page paper, due today, that was total gibberish because of the infection. Luckily, we discovered that FileFixerPro has a trial option that lets you decrypt files one at a time. We installed it on a VM image with no network connection, brought the file over, and decrypted it, so it seems the encryption scheme is not machine or time dependent, probably just a basic key encryption, which I hope some White Hat will reverse and publish for free.
  6. #19
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    2
    Rep Power
    0
    Hello, I am in france.

    my computer it also is infected.
    No documents not saved is affected. This monster infects office document but JPEG whose extension is small and PDF.

    I hope they will quickly find a solution.
  8. #20
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    1
    Rep Power
    0

    Toast


    Looks like I also have been infected.... Still unsure how but have been trying to correct the problem all day. Just at a loss at this point... reformatting may be the only option but I will give it a day or two for someone to post a remedy.
  10. #21
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    3
    Rep Power
    0

    Still Nothin'


    So, I noticed someone said watch out for the "Vundo" trojan...which is the exact virus that combofix found!

    I used combofix to stop the initial onslaught of endless randomly named exes that were appearing in my task manager, and then finished it off with Malwarebytes.

    Normal1958 says that if you download Filefix Pro 2009 it will fix the corrupted office files...but I am VERY wary of downloading something the virus WANTS me to download. And I am obviously still infected as I keep getting the popups.

    In addition, when trying to run the Full Scan option of Malwarebytes in safe mode, I got an error saying that Windows/System32/Services.exe stopped, and my computer was forcing a shutdown....this seems to happen every 40 minutes or so, otherwise I just get a BSOD.

    If anyone has found anything else, let us know! It seems we're all in the same boat right now.

    PS. Does anyone know if this is a specific virus/malware? Or is it just a bunch of crap all together?
  12. #22
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    3
    Rep Power
    0

    And the beat goes on


    Hi All,
    Just got a case of this on a customer machine. It is a 'thought out' creation as it really makes it hard to get to. Here is what I am seeing so far. It actually removes all former System Restore data from its location - probably deletes it. It changes certain viewing options in folders as it uses hidden files it creates - I have found these in the %temp% folder and System32 folder so far. Booting in safe mode - I can then adjust settings to view these and delete most. Certain features don't work anymore like my Device Manager or 'system' in CP and IE. If I run IE (when it first worked) and an online scan from Safe Mode - it eventually reboots the system before the scan finishes... it also runs itself in Safe Mode - etc etc etc.... BSOD etc. Before I resort to an inplace upgrade or fresh install of XP after a DOD wipe of the drive and boot sectors - I have pulled this HDD and put it into another computer as a non-booting drive. I am scanning (deep) with two softwares on this drive. This should allow me to find the executable(s) responsible - IF- my software will detect - so far it has found a couple of new names I haven't seen yet. Of course the registry is probably involved and since all system restore is gone - the customers registry may be damaged. I'll see what I get and let you know.

    -Mark
  14. #23
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    2
    Rep Power
    0

    Given up


    Well I've now bitten the bullet and formattedd HDD, I started to get srange lockups on other networked PCs and this seems like such an unknown force I don't want to take the risk. Thanks for all those that are trying to fix this, I will keep watching in the hope you get a resolution. Good Luck!!
  16. #24
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    2
    Rep Power
    0

    Looks like I spoke to soon


    Earlier I posted that the problem was fixed by ComboFix. Apparently, it fixed part of the problem, but not all of it. My laptop is running much better; however, the pop up has started to pop again. I have tried: Spybot, Malwarebytes, McAfee 8.5i, VundoFix, and ComboFix.

    I have tried locating the process using ProcExp and ProcMon, but do not see it.

    I did download the "fix" into a virtual machine and test the "solution" in the one time test and as expected it does work to fix the file corruption, which seems to be specific to .doc, .xls, .jpeg, and .pdf on my machine. PSD files still work as do CR2 files. But as was noted above, downloading a full program to allow access to files that it locked is not a very savory options. As well thought out as this attack was, I fear the fix would lead to even greater disaster and could lead to a cycle of further corruption and extortion.

    Hopefully someone will be able to find the source and we can all get back to work.
  18. #25
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    1
    Rep Power
    0

    from http://www.burchwords.com/archives/1008


    We ran across a pc that was infected with FileFix Pro 2009. All attempts to use a malware or spyware program failed to remove it. Possible that these is kin to antivirus 2009.

    I found this in hijackthis:
    O20 - AppInit_DLLs: C:WINDOWSsystem32fpfstb.dll

    I used Malwarebytes’ FileASSASSIN to delete the file. It couldn’t delete it while running, but needed to restart to remove the file. After the file was removed the FileFixer Pro 2009 has not shown its head.
  20. #26
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    3
    Rep Power
    0
    Originally Posted by drk_phx
    We ran across a pc that was infected with FileFix Pro 2009. All attempts to use a malware or spyware program failed to remove it. Possible that these is kin to antivirus 2009.

    I found this in hijackthis:
    O20 - AppInit_DLLs: C:WINDOWSsystem32fpfstb.dll

    I used Malwarebytes’ FileASSASSIN to delete the file. It couldn’t delete it while running, but needed to restart to remove the file. After the file was removed the FileFixer Pro 2009 has not shown its head.
    Were you able to get back any of the corrupted files?
  22. #27
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    1
    Rep Power
    0

    cant figure it out


    So I have been battling this for many days. I'm going crazy. I tried kaspersky anti virus as it can run off a boot disc. the first time I ran it it found 8 viruses I ran it again and it found 6 more, Im not sure how that happened. I had most of my flies backed up that it says are damaged, so I just deleted them off my hard drive. I am a little worried about downloading the software it wants me to download like it will just mess up more files, I still can run spybot as it will reboot my system. I am about to pull out all of my hair trying to figure this out. I might reinstall windows but I dont know if thats going to fix anything... does anyone know?
  24. #28
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    8
    Rep Power
    0

    one more


    Another victim here. Been going nuts over the past week trying everything I know to get rid of this pest (including most of the methods discussed above), without success. Unable to use computer because the virus continues to corrupt every new data file, so in frustration, I physically removed the hard drive and put in an old drive which had the OS and some of my programs installed (basically, my computer as it was two years ago when I replaced it with the current HD). Beyond removing the infection, the main issue for me is getting back all the corrupted data files (.jpg, .doc, .pdf and .mp3). For obvious reasons I am highly reluctant to install "filefix pro 2009" as prompted by the virus's phony popup warning. Any help to remedy this mess would be vastly appreciated.
  26. #29
  27. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    3
    Rep Power
    0

    I still am beating on the horse


    The attempts in my first post - leave me still infected. But something I have discovered: I can copy these PDF, JPG and Office Docs to another computer (via ext hdd and then scanned...) and I can open them just fine. Are we 'sure' these files are really getting corrupted on the infected machines?
  28. #30
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    3
    Rep Power
    0
    I have made some progress, thanks to the help from this board. I was able to get rid of the System Tray pop up. I used Malware's File Assassian and set it to delete the following file upon restart:

    C:\Windows\System32\fpfstb.dll

    Since I have done that I have not gotten the system tray message and any NEW file that I create or that comes in via e-mail I can open without it being corrupted. My old files are still corrupted though. I ahve tried moving them to another machine and I get the same corrupted message when trying to open those. At least my maching is free from this, I would just love to get my files back!

IMN logo majestic logo threadwatch logo seochat tools logo