Page 5 - Filefix Professional 2009

so i've removed the filefix infection from the computer with Grinler's help, but before i worry about the corrupted files i'd love to turn windows update back on but all attempts still fail -


any advice?

Try: http:_SlashSlash_support.microsoft.com/?kbid=326686

Replace "_SlashSlash_" with "//" . . .forum rules won't allow me to post URL's . . I guess that begs the question as to why I'd even bother helping someone here??????

I saw this windows file protection pop up that said my ms office and media files were corrupt. I clicked on the message bubble and it took me to the file fix professional 2009 web site. It looked fishy and cost money so I closed the browser and went on with my business thinking i'd deal with it later. I tried to open a ms word document but it said the software was corrupt and it closed then opened a box containing a very long list of files that it thought were corrupt. Moments later the original pop-up appeared again. I opened the browser to start a google search for the problem and it immediately went to a random financial website (firefox was hijacked) windows defender popped up and said I had a virus. I started to scan my system for the virus but after a few moment a pop up appeared and said my computer was going to shut down in 60 seconds. Every subsequent attempt to remove the virus started the shut down process again. I started doing start->run->shutdown -a. that worked for a while. I'd have to do it every 30 seconds because the virus scan couldn't complete. Plus the virus kept mutating and would stop telling me when the computer was going to shut down. The system would just top responding and restart automatically. Eventually, the virus started to remove the explorer bar when it was going to shut down so I couldn't do anything but watch the system restart. After extensive research, I discovered what files were causing the trouble but the virus locked them so I couldn't delete them manually. I tried to use fileAssassin. That allowed me to remove a few files but they would be reinstalled. Things deteriated to the point that I couldn't even use safe boot. I had to use the xp cd's recovery program and reinstall the infected os files. When my computer was back up and usable i still had the viruses and windows file protection popup. i updated my virus software malwarebytes' anti-malware and super antispyware. I needed both because they detected different viruses. After going back and forth between scanning with the anti-virus programs in normal os mode then scanning in safe-boot i finally removed the viruses. I had several. The virus also changed my internet setting so nothing could connect to the internet. Everything was set to use a proxy and a few different ports and ip addresses. I reinstalled sp3 and checked the the files that were affected. Everything seems fine now. I have never had such an aggressive virus. I think the key is DO NOT CLICK ON THE 'WINDOWS FILE PROTECTION' MESSAGE. If that message comes up close all your programs. update your virus protection software and 'DISCONNECT FROM THE INTERNET'. Run your virus protection program. This virus moves fast and infects everything.

The guide at BC was updated to include a tool that will scan a folder or drive, find encrypted files, and clean them automatically using the technique that Julia graciously supplied.

The guide can be found here:

http://www.bleepingcomputer.com/forums/topic212357.html

Thanks so much for your efforts. I can't believe I got my files back!

Looking for feedback to make sure the file decryptor is working properly. Anyone run into any issues or does it appear to be working for you?

First, I'd like to express my deepest gratitude to Julia Wolf, Grinler, and everyone else who worked to defeat this most destructive malware attack, and to develop a tool to enable us to restore our corrupted data files.

I am in the process of using the tool to repair my damaged files, and have been successful with all affected formats (.doc, .jpeg, .pdf and .mp3). As to the operation of the tool, I have observed that while in use it commands 100% of CPU resources, thus one can't really do anything else on the computer at the same time; also, whereas both the encrypting operation of the virus and the decrypting operation of the Filefix Pro "cure" seemed to do their work almost instantaneously, the "anti-filefix" tool takes substantially more time to work, with the time increasing along with file size. For example, decryption of a .jpg of about 5 MB takes 30 seconds to a minute to complete. (I have quite a few photos to process, so I have been running the tool overnight.)

I will see what I can do about speeding up, but no promises there.

Filefix itself reads a 0x10000 byte chunk of the file at a time, decrypts it in memory, and writes it back out... Just FYI

Here are my notes about the decryption algorithm implementation in Filefix Pro:

http:/ /blog.fireeye.com/research/2009/03/filefix-professional-2009-cryptanalysis.html

Thanks Julia. Will pass the info along to Bobby.

I ran Anti-FileFix and it de-encrypted the rest of my files.

Thank you so much for this.

[QUOTE=Grinler]The guide at BC was updated to include a tool that will scan a folder or drive, find encrypted files, and clean them automatically using the technique that Julia graciously supplied.

The tool has been optimized and should run much faster now. If you are still decrypting files, please redownload it and use the newer version.

I am using the Anti-Filefix and its not working I am not sure whats going on, I selected folder than scan and fix. Though nothing is being decoded.

me too