FAQ

Q: What about FileError_22001 (Trojan.Encoder.33) virus?
A: Here is some information about it published by DrWeb:
The company «the Doctor» informs the Web on occurrence on the Internet of new updating Trojan. Encoder. The given Trojan applies mechanisms of enciphering distinct from former versions concerning various text documents and the graphic representations stored on computers of users. All suffered from Trojan. Encoder.33 experts «the Doctor the Web» suggest to take advantage of the free utility.
As well as former versions, Trojan. Encoder.33 ciphers data of users, however uses thus new mechanisms. Dangers are exposed files with expansion .txt, .jpg, .jpeg, .doc, .docx, .xls which the Trojan transfers to folders:
C:Documents and Settings \Local SettingsApplication DataCDD
C:Documents and Settings \Local SettingsApplication DataFLR
At the same time original files are replaced with the message "FileError_22001".
Unlike former updatings, Trojan. Encoder.33 does not deduce any messages with the requirement to pay the various sums of money. Thus, function of enciphering of data of the user is carried out by this Trojan only in case it manages to contact an external server.
As well as usually, experts of the company «the Doctor the Web» have operatively reacted to occurrence in a worldnet of new threat, having prepared the free utility of decoding and elimination of consequences of activity Trojan. Encoder.33.

---

Q: What to do if you were infected?
A: Some information published by Symantec:
This Infection has a catch 22 situation as the tool from Dr Web to decrypt the original files needs the infection to still be on the system, well the registry keys, though you can stop it from running in Msconfig.
In saying that if your Security software like Norton has the Malware flagged as High Risk then the infection is removed automatically without asking the user what to do, and there is the Problem. If the Registry Keys are removed by Norton or by people doing the usual scanning with SuperAntispyware or Malwarebytes, then the decrypter doesn't work.
Steps to take as long as Norton hasn't removed the infection.
1. Use "Msconfig" to deselect the startup process in the startup tab, The process you are looking for looks something like "43718D7A.exe" Then apply and restart the PC. After the Trojan should not be active.
2. Backup the 2 folders with the encrypted original files
\Documents and Settings\<username>\Local Settings\Application Data\CDD,
\Documents and Settings\<username>\Local Settings\Application Data\FLR.
To pendrive, CD or DVD etc. In case the decryption goes bad.
3. Now use the Dr Web decrypting tool to decrypt the .fcd files in the folders above back to their original state. If the tool doesn't work when in your account try when logged in via the others users accounts if any available.
4. Once you have your original files back, back them up for safety, once you are satisfied all your photos etc are back.
5. Remove the Trojan completely.

---

Q: What is a deFE22001 project?
A: The aim of this project is to write decryption tool for the virus.

---

Q: But there is already a decryption tool - who needs another one?
A: The tool from DrWeb doesn't handle all the situations. Sometimes users see "PC is not infected" or "Unable to find main key" error messages. deFE22001 should be able to work even in that cases.

---

Q: Good! So where I download your decryption tool from?
A: The tool is in a development right now and we'll be available for download within few days.

---

Q: What is FCDInfo tool and what it is needed for?
A: FCDInfo is a diagnostics tool. Whenever you got some error during decryption - please post it to our forums along with the output from FCDInfo tool

---

Q: More questions?
A: Coming soon...