March 18th, 2009, 12:04 PM
I tried your suggestion AlpenIT, but it did not work for me; jpg's would not open in any application. Evidence that the files were truly corrupted is that: 1) when viewed in Windows Explorer the "date modified" field has been altered to a post infection date and 2) comparing the "ANSII" language (viewed in Notepad) of the identical jpg files in which one was infected and one not (uninfected file was a backed up copy) show substantial differences.
March 18th, 2009, 12:18 PM
Here are two findings in my scans the one virus 'new....' looks suspicious - anyone find a new bug they haven't seen before?
I have spent too much time here. I am imaging the infected system, will do a wipe to the hard drive - to get rid of the old boot sector info too - this will get rid of any threat the boot sector is involved - then I can install fresh XP.
GameThief.OnLineGames File i:\windows\instsp2.exe
I:\lwvjuv.exe - probably unknown NewHeur_PE virus  - unable to clean
I was able to remove these to no avail. I also found a couple other suspect executables under the root and removed them.
Good luck all - this needs to be taken apart and resolved soon... good hunting.
March 18th, 2009, 12:27 PM
Filefix Professional 2009
malwarebytes removal tool and rebooted my computer. the popup never came back but I still can't get my pics to work.
Also run malwarebytes after reboot.
I also used "trojan remover"
March 18th, 2009, 02:20 PM
SHut down your **** immediately because it's silently working your whole harddrive. So unless a fix comes out, I've lost all website i've done the past few months and all my photos! I can't even find the site to get the software for the fix.
March 18th, 2009, 02:32 PM
Good morning, I have to try to buy with a gereator of CB. But I do not have a check to generator. If somebody to split and to buy the licence that it opposite to be of benefit everybody with his numero of licence. Thank you Good luck.
March 18th, 2009, 03:19 PM
Like others have suggested, I used MalwareBytes FileAssassin to remove fpfstb.dll from Windows/System32 and this successfully stopped the popups/BSODs/shutdowns.
So good news there. Unfortunately, all my docs are still corrupted/encrpted, whatever the case may be.
But progress is better then no progress!
March 18th, 2009, 05:05 PM
I bit the bullet and installed "Filefix pro" as prompted by the infernal popup. I ran it in the trial mode and can confirm that the files corrupted by this virus can be decrypted and thus restored by "Filefix." But the trial mode permits only one restoration; subsequent attempts failed to work. Still, it's a relief to know that the data files have not been destroyed but merely encrypted, and thus the possibility exists of getting them back. Now, if someone out there has the expertise to either figure out a way to defeat the one file limitation of the trial mode, or to reverse engineer the program to extract the decryption algorithm, it would be fantastic. Unfortunately, this kind of work is beyond my abilities; is anyone up for the challenge?
March 18th, 2009, 05:10 PM
I've got it. It even shuts me down when running scans in safe mode. I'm thinking of doing a wipe and reload to kill it.
I've been hunting it with spybot, Malwarebytes, McAfee and 'windows defender.'
None of them seem to be able to find it.
March 18th, 2009, 06:13 PM
File assassin on this one worked for me. (I think.)
Silly me I didn't see the rest of the thread when I posted! Gah.
And the other one.... combofix, got rid of some OTHER viruses I couldn't kill and didn't really know about.
March 19th, 2009, 11:34 AM
The next person who encounters this thread and has the infection, or the DLL responsible, can you please submit a sample of the DLL infection to me. I will write up a formal guide on how to remove this infection and hopefully repair the documents.
The file I am looking for is:
Simply go here and fill in the required fields and browse to the C:\Windows\System32\fpfstb.dll file on your desktop. Finally click on the Send File button.
Thanks in advance.
March 19th, 2009, 12:05 PM
Thank you so much Grinler for your offer to help. I tried to send you a copy of the dll file, but not sure it went through; let me know if you didn't get it. Also, would it make sense to take a look at the Filefix Pro 2009 program, which seems to have the capacity to restore the corrupted data files?
March 19th, 2009, 12:52 PM
First, I want to thank everyone for posting their experience with this malware. There is limited information anywhere else on the web on this.
I too was hit with this malware. So much for using Online Armour firewall which seemed to be the first thing to go bonkers when I got hit with this.
It took out Online Armour, my antivirus program and shut down windows update.
It is correct that you want to get rid of C:\WINDOWS\system32\fpfstb.dll. There is a secondary file that needs to be deleted also.
After shelling out many dollars for many products in trying to wipe out his one. I recommend us of a product called unhackme which is available for a free trial (with full functionality). It identified this .dll and the related .dll and deleted them by adding a .del extension. For good measure I used malwarebytes to get rid of the offending files permanently.
I have since paid for unhackme and have is scanning regularly. You can find it at Greatis Software. I saw a reference to it on another board.
With respect to the malware itself (which was installed along with a host of other malware - mostly advertising junk that took over my browsers), I did not run it.
It was sneaky as it disguised itself as the Window Security Center tray icon. But when I clicked on it and saw that a window feature was recommending a non-Microsoft product for repair - I become suspicious.
I then confirmed that FileFix Professional 2009 was not a Microsoft product via a quick google search. I closed down the install. I then went ahead and checked my MS office document which were all in tact.
Then came the day and a half of trying to get rid of this bugger which I did as I mentioned above.
Lessons: If a MS Windows program recommends a non Microsoft product - do not trust it. Do not run it. Do not rely on the typical commerical products to get rid of the malware (Spyware Doctor or any of the other popularly reviewed software). Finally, be sure your regularly back up your important files to an external drive.
Nasty stuff. Again, thank you for the posts on this board.
March 19th, 2009, 12:56 PM
Got the fpfstb.dll file. This is the trigger for the alerts and corrupts the docs when you open them. If anyone has any word docs that dont have person info and are corrupted, I can take a look .
Also if you have any other related files to this infection please submit them as well.
Last edited by Grinler; March 19th, 2009 at 01:52 PM.
March 19th, 2009, 02:14 PM
Since removing the fpfstb.dll file, not only have the popups ceased but newly created data files do not get automatically corrupted when attempting to open them by means of Windows Explorer. Perhaps it is also significant that such newly created data files did not get corrupted, even with fpfstb on the system, if opened by way of the relevant application (e.g., Word for .doc files, Acrobat for .pdf, etc.); however, on a reboot, the malware would somehow find and corrupt these newly created data files as well. I still think the key to getting our data back lies in the Filefix Pro application, which has demonstrated the capacity to decrypt/restore the affected data files.
March 19th, 2009, 02:54 PM
Is there any way to decrypt files that have been infected by this? Russians are dog ****!