March 17th, 2009, 03:17 PM
I had the same infected. Ran the gamut of programs, but this is the only one that worked. Files are still showing as corrupted, but that is a different battle now. Watch out for the Vundo virus, that is were I get mine from.
March 17th, 2009, 03:42 PM
Combofix didn't work for me
I used combofix as well. I am still getting the pop-ups on the bottom right of my taskbar. Nothing so far has completely removed it.
March 17th, 2009, 06:04 PM
Just read about this from another tech. While he does not have fix yet, he said if you can recover a document at a time if you install the program but not pay. Here are his comments. (Newest to oldest.)
The link on the fake popup brings you to a page to download the FileFixerPro application. When you download it, it is in Trial Mode, which allows you to decrypt one file at a time (I guess to assure you it works). To do a whole bunch of files, you need to pay. That’s what I meant by trial version.
Oh, and yes, we tried to batch the trial version to do all the files, to no avail.
We found this virus because a student came in with a 22-page paper, due today, that was total gibberish because of the infection. Luckily, we discovered that FileFixerPro has a trial option that lets you decrypt files one at a time. We installed it on a VM image with no network connection, brought the file over, and decrypted it, so it seems the encryption scheme is not machine or time dependent, probably just a basic key encryption, which I hope some White Hat will reverse and publish for free.
March 17th, 2009, 07:25 PM
Hello, I am in france.
my computer it also is infected.
No documents not saved is affected. This monster infects office document but JPEG whose extension is small and PDF.
I hope they will quickly find a solution.
March 17th, 2009, 07:37 PM
Looks like I also have been infected.... Still unsure how but have been trying to correct the problem all day. Just at a loss at this point... reformatting may be the only option but I will give it a day or two for someone to post a remedy.
March 17th, 2009, 11:47 PM
So, I noticed someone said watch out for the "Vundo" trojan...which is the exact virus that combofix found!
I used combofix to stop the initial onslaught of endless randomly named exes that were appearing in my task manager, and then finished it off with Malwarebytes.
Normal1958 says that if you download Filefix Pro 2009 it will fix the corrupted office files...but I am VERY wary of downloading something the virus WANTS me to download. And I am obviously still infected as I keep getting the popups.
In addition, when trying to run the Full Scan option of Malwarebytes in safe mode, I got an error saying that Windows/System32/Services.exe stopped, and my computer was forcing a shutdown....this seems to happen every 40 minutes or so, otherwise I just get a BSOD.
If anyone has found anything else, let us know! It seems we're all in the same boat right now.
PS. Does anyone know if this is a specific virus/malware? Or is it just a bunch of crap all together?
March 18th, 2009, 12:33 AM
And the beat goes on
Just got a case of this on a customer machine. It is a 'thought out' creation as it really makes it hard to get to. Here is what I am seeing so far. It actually removes all former System Restore data from its location - probably deletes it. It changes certain viewing options in folders as it uses hidden files it creates - I have found these in the %temp% folder and System32 folder so far. Booting in safe mode - I can then adjust settings to view these and delete most. Certain features don't work anymore like my Device Manager or 'system' in CP and IE. If I run IE (when it first worked) and an online scan from Safe Mode - it eventually reboots the system before the scan finishes... it also runs itself in Safe Mode - etc etc etc.... BSOD etc. Before I resort to an inplace upgrade or fresh install of XP after a DOD wipe of the drive and boot sectors - I have pulled this HDD and put it into another computer as a non-booting drive. I am scanning (deep) with two softwares on this drive. This should allow me to find the executable(s) responsible - IF- my software will detect - so far it has found a couple of new names I haven't seen yet. Of course the registry is probably involved and since all system restore is gone - the customers registry may be damaged. I'll see what I get and let you know.
March 18th, 2009, 03:41 AM
Well I've now bitten the bullet and formattedd HDD, I started to get srange lockups on other networked PCs and this seems like such an unknown force I don't want to take the risk. Thanks for all those that are trying to fix this, I will keep watching in the hope you get a resolution. Good Luck!!
March 18th, 2009, 09:29 AM
Looks like I spoke to soon
Earlier I posted that the problem was fixed by ComboFix. Apparently, it fixed part of the problem, but not all of it. My laptop is running much better; however, the pop up has started to pop again. I have tried: Spybot, Malwarebytes, McAfee 8.5i, VundoFix, and ComboFix.
I have tried locating the process using ProcExp and ProcMon, but do not see it.
I did download the "fix" into a virtual machine and test the "solution" in the one time test and as expected it does work to fix the file corruption, which seems to be specific to .doc, .xls, .jpeg, and .pdf on my machine. PSD files still work as do CR2 files. But as was noted above, downloading a full program to allow access to files that it locked is not a very savory options. As well thought out as this attack was, I fear the fix would lead to even greater disaster and could lead to a cycle of further corruption and extortion.
Hopefully someone will be able to find the source and we can all get back to work.
March 18th, 2009, 09:58 AM
We ran across a pc that was infected with FileFix Pro 2009. All attempts to use a malware or spyware program failed to remove it. Possible that these is kin to antivirus 2009.
I found this in hijackthis:
O20 - AppInit_DLLs: C:WINDOWSsystem32fpfstb.dll
I used Malwarebytes’ FileASSASSIN to delete the file. It couldn’t delete it while running, but needed to restart to remove the file. After the file was removed the FileFixer Pro 2009 has not shown its head.
March 18th, 2009, 10:30 AM
Were you able to get back any of the corrupted files?
Originally Posted by drk_phx
March 18th, 2009, 10:55 AM
cant figure it out
So I have been battling this for many days. I'm going crazy. I tried kaspersky anti virus as it can run off a boot disc. the first time I ran it it found 8 viruses I ran it again and it found 6 more, Im not sure how that happened. I had most of my flies backed up that it says are damaged, so I just deleted them off my hard drive. I am a little worried about downloading the software it wants me to download like it will just mess up more files, I still can run spybot as it will reboot my system. I am about to pull out all of my hair trying to figure this out. I might reinstall windows but I dont know if thats going to fix anything... does anyone know?
March 18th, 2009, 11:33 AM
Another victim here. Been going nuts over the past week trying everything I know to get rid of this pest (including most of the methods discussed above), without success. Unable to use computer because the virus continues to corrupt every new data file, so in frustration, I physically removed the hard drive and put in an old drive which had the OS and some of my programs installed (basically, my computer as it was two years ago when I replaced it with the current HD). Beyond removing the infection, the main issue for me is getting back all the corrupted data files (.jpg, .doc, .pdf and .mp3). For obvious reasons I am highly reluctant to install "filefix pro 2009" as prompted by the virus's phony popup warning. Any help to remedy this mess would be vastly appreciated.
March 18th, 2009, 11:33 AM
I still am beating on the horse
The attempts in my first post - leave me still infected. But something I have discovered: I can copy these PDF, JPG and Office Docs to another computer (via ext hdd and then scanned...) and I can open them just fine. Are we 'sure' these files are really getting corrupted on the infected machines?
March 18th, 2009, 11:56 AM
I have made some progress, thanks to the help from this board. I was able to get rid of the System Tray pop up. I used Malware's File Assassian and set it to delete the following file upon restart:
Since I have done that I have not gotten the system tray message and any NEW file that I create or that comes in via e-mail I can open without it being corrupted. My old files are still corrupted though. I ahve tried moving them to another machine and I get the same corrupted message when trying to open those. At least my maching is free from this, I would just love to get my files back!