FileError_22001 Fix

Ok guys, is this a conspiracy? Search FileError_22001 on all the top
Anti Virus company sites and they all show no results.
Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
are being corrupted, everything from work documents, travel documents
to wedding and kid photos.
Its times like this that the general public needs you Anti Virus
guys, and from the industry, nothing, absolutely nothing, a
disorganized bunch of decent people are trying various things, but the
big public companies with stock Nasdaq listings and shareholders, not
a shred of help.
On behalf of the effected around the world, I’d like to offer a BIG
Thanks for nothing guys!
The least you could do is put a note on you websites saying you are
working on it and give us regular people with our digital cameras some
hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted
by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm
film after all the worlds digital photos have been erased.
So come on Mr. Anti Virus company Executive, round up the troops and
show us you are really a pillar of society.

Please

 

See the same issue and answers 4 posts below yours here in
Microsoft.public.security.virus by Max in KL on 12/16/2008 at 10:32 AM

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

<fintansmobilemail@gmail.com> wrote in message
news:890a7532-148b-4280-b6b6-ccfd6af200ec@o4g2000pra.googlegroups.com...
Ok guys, is this a conspiracy? Search FileError_22001 on all the top
Anti Virus company sites and they all show no results.
Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
are being corrupted, everything from work documents, travel documents
to wedding and kid photos.
Its times like this that the general public needs you Anti Virus
guys, and from the industry, nothing, absolutely nothing, a
disorganized bunch of decent people are trying various things, but the
big public companies with stock Nasdaq listings and shareholders, not
a shred of help.
On behalf of the effected around the world, I’d like to offer a BIG
Thanks for nothing guys!
The least you could do is put a note on you websites saying you are
working on it and give us regular people with our digital cameras some
hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted
by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm
film after all the worlds digital photos have been erased.
So come on Mr. Anti Virus company Executive, round up the troops and
show us you are really a pillar of society.

Please

 

From: <fintansmobilemail@gmail.com>

| Ok guys, is this a conspiracy? Search FileError_22001 on all the top
| Anti Virus company sites and they all show no results.
| Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
| are being corrupted, everything from work documents, travel documents
| to wedding and kid photos.
| Its times like this that the general public needs you Anti Virus
| guys, and from the industry, nothing, absolutely nothing, a
| disorganized bunch of decent people are trying various things, but the
| big public companies with stock Nasdaq listings and shareholders, not
| a shred of help.
| On behalf of the effected around the world, I’d like to offer a BIG
| Thanks for nothing guys!
| The least you could do is put a note on you websites saying you are
| working on it and give us regular people with our digital cameras some
| hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted
| by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm
| film after all the worlds digital photos have been erased.
| So come on Mr. Anti Virus company Executive, round up the troops and
| show us you are really a pillar of society.

| Please

You have to realize that if this is a case of cryptovirology then it is posible there may
be NOTHING that can be done if someone gets infected and their data files are encrypted.
All an AV company can do is protect against being infected through signature and heuristic
detection.

Recently I offered "special attention" to someone who was infected. They didn't take me
up on the offer.

--
Dave

Multi-AV -

 

inline
<fintansmobilemail@gmail.com> wrote in message
news:890a7532-148b-4280-b6b6-ccfd6af200ec@o4g2000pra.googlegroups.com...
Ok guys, is this a conspiracy? Search FileError_22001 on all the top
Anti Virus company sites and they all show no results.

***
This is a symptom, not a name.
***

Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
are being corrupted, everything from work documents, travel documents
to wedding and kid photos.

***
I'm sure if it gets widespread enough there will be information available.
There is nothing AV can do after you are affected by cryptoviral extortion
(if indeed this is what it is - AKA ransomware). AV is not responsible for
users who execute malicious software on their computers. AV is only a tool
to help users to protect themselves.
***

[snipped rest of misguided rant]

 

This looks like the malware. But the downloaded program does the damage
evidently by overwriting as I understand it.

No cryptoviral extortion (ransomeware) involved this time.

I'm only basing this on some Googling - I'm not an AV insider.

<fintansmobilemail@gmail.com> wrote in message
news:890a7532-148b-4280-b6b6-ccfd6af200ec@o4g2000pra.googlegroups.com...
Ok guys, is this a conspiracy? Search FileError_22001 on all the top
Anti Virus company sites and they all show no results.
Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
are being corrupted, everything from work documents, travel documents
to wedding and kid photos.
Its times like this that the general public needs you Anti Virus
guys, and from the industry, nothing, absolutely nothing, a
disorganized bunch of decent people are trying various things, but the
big public companies with stock Nasdaq listings and shareholders, not
a shred of help.
On behalf of the effected around the world, I’d like to offer a BIG
Thanks for nothing guys!
The least you could do is put a note on you websites saying you are
working on it and give us regular people with our digital cameras some
hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted
by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm
film after all the worlds digital photos have been erased.
So come on Mr. Anti Virus company Executive, round up the troops and
show us you are really a pillar of society.

Please

 

In article <OIGgZMXYJHA.4456@TK2MSFTNGP04.phx.gbl>,
erratic@nomail.afraid.org says...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
> are being corrupted, everything from work documents, travel documents
> to wedding and kid photos.
> <!--colorc--><!--/colorc-->

How about "Dear computer user, WAKE UP and stop doing stupid things!"

How about "Dear computer user, learn about good practices for protecting
your computer and network so that you're not compromised"

It's not the AV companies that will protect you, it's your own diligence
that will protect you.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

 

Hi Leythos,

None of what follows was said by me, but that *is* my posted e-mail
address in the newsgroups. You are actually replying to the OP. Fact is
....I agree with you. Most of the malware out there depends heavily on
people doing stupid things. Judging by some of the successful malware
I've seen in the past...there is no shortage of stupidity (nor any limit to
it).

"Leythos" <spam999free@rrohio.com> wrote in message
news:MPG.23b57336a09dda77989792@us.news.astraweb.com...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> In article <OIGgZMXYJHA.4456@TK2MSFTNGP04.phx.gbl>,
> erratic@nomail.afraid.org says...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Dear Anti Virus companies, WAKE UP!! Peoples files all over the world
>> are being corrupted, everything from work documents, travel documents
>> to wedding and kid photos.
>><!--colorc--><!--/colorc-->
>
> How about "Dear computer user, WAKE UP and stop doing stupid things!"
>
> How about "Dear computer user, learn about good practices for protecting
> your computer and network so that you're not compromised"
>
> It's not the AV companies that will protect you, it's your own diligence
> that will protect you.
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address) <!--colorc--><!--/colorc-->

 

From: "FromTheRafters" <erratic@nomail.afraid.org>

| Hi Leythos,

| None of what follows was said by me, but that *is* my posted e-mail
| address in the newsgroups. You are actually replying to the OP. Fact is
| ...I agree with you. Most of the malware out there depends heavily on
| people doing stupid things. Judging by some of the successful malware
| I've seen in the past...there is no shortage of stupidity (nor any limit to
| it).

I'd like to get a sample of this infector to our "group" to get this analyzed. All we
have seen are resultant, damaged, files and they are bastardized similarly to what GPCode
did.

--
Dave

Multi-AV -

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eiBstfiYJHA.652@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> From: "FromTheRafters" <erratic@nomail.afraid.org>
>
> | Hi Leythos,
>
> | None of what follows was said by me, but that *is* my posted e-mail
> | address in the newsgroups. You are actually replying to the OP. Fact is
> | ...I agree with you. Most of the malware out there depends heavily on
> | people doing stupid things. Judging by some of the successful malware
> | I've seen in the past...there is no shortage of stupidity (nor any limit
> to
> | it).
>
> I'd like to get a sample of this infector to our "group" to get this
> analyzed. All we
> have seen are resultant, damaged, files and they are bastardized similarly
> to what GPCode
> did.<!--colorc--><!--/colorc-->

Interestingly, a couple of the "forums" I read from have suggested
navigating
to a registry key - to get a filename - and delete both the file and the key
value.
My thinking is that doing such things before you know what you are dealing
with is ill advised. What if it *is* ransomware and the perpetrator needs
the
file you just deleted in order for you to decrypt your files?

Obviously, I cannot vouch for any information found in such "forums".

 

From: "FromTheRafters" <erratic@nomail.afraid.org>


| Interestingly, a couple of the "forums" I read from have suggested
| navigating
| to a registry key - to get a filename - and delete both the file and the key
| value.
| My thinking is that doing such things before you know what you are dealing
| with is ill advised. What if it *is* ransomware and the perpetrator needs
| the
| file you just deleted in order for you to decrypt your files?

| Obviously, I cannot vouch for any information found in such "forums".

It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and has a tool for
decryption.


10% of the files can be decrypted based upon a key in the Registry.
The other 90% can be decrypted through a predictable key.


--
Dave

Multi-AV -

 

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:e7oNBipYJHA.4852@TK2MSFTNGP04.phx.gbl...
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and
> has a tool for
> decryption.
>
>
> 10% of the files can be decrypted based upon a key in the Registry.
> The other 90% can be decrypted through a predictable key.<!--colorc--><!--/colorc-->

Thanks Dave.

 

On Dec 20, 12:50 pm, "FromTheRafters" <erra...@nomail.afraid.org>
wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in messagenews:e7oNBipYJHA.4852@TK2MSFTNGP04.phx.gbl...
><!--coloro:green--><span style="color:green <!--/coloro-->
> > It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and
> > has a tool for
> > decryption.
> ><!--colorc--><!--/colorc-->
><!--coloro:green--><span style="color:green <!--/coloro-->
> > 10% of the files can be decrypted based upon a key in the Registry.
> > The other 90% can be decrypted through a predictable key.<!--colorc--><!--/colorc-->
>
> Thanks Dave.<!--colorc--><!--/colorc-->

This is definitely a case of Crytovirology as I've just spent the last
couple of hours trying to clean my parents computer which has been
compromised. The above download does appear to work however it is
important not to clean the registry entries that contain the key for
the encrypted files. I'd therefore advice people not to run any anti-
malware or antivirus software until they have recovered their files.

I have to agree with the original poster about the lack information
available about this virus. It is quite scarce which might indicate
that it is a very new trojan. The computer that was compromised was
running NOD32 and it did not detect the trojan at any point even with
heuristics on and the virus database fully up to date. I did find that
the latest IE 7 security patch had not been applied to the system so
it may have got onto the system via this exploit.

I'm still not sure what the name of the exact trojan is as there seems
to be some disagreement about what's its name is (Trojan.Encoder.33?,
Trojan Downloader.Win32.Agent.atnu?) so I have still yet to ascertain
what steps need to be taken to fully clean the system. I'm not taking
any chances especially considering how easily it by-passed the anti-
virus software so I intend to do a low level format of the drive and
then reinstall windows.