The initial symptom is that the files are renamed to xxxx.doc.NCRYPTED.NCRYPTED.NCYRPTED.NCRYPTED.ncrypted
Renaming the file to remove the rubbish on the end makes no difference as the file is still unreadable - appears the file header has been altered perhaps?
There is also a text file left behind with the following:
"Some files on your machine are encrypted and your private informations were collected and sent to us.
To decrypt files so you could use them again, you have to buy our decryptor.
After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
To buy decryptor, contact us at: firstname.lastname@example.org or email@example.com
If you dont contact us, your private informations will be shared and you will loose all your data."
Normally, I would just run a format & reinstall the system but in this case the customer is desperate to keep their data since they have no backup.
So far I have run multiple virus scans with NOD32 which has pulled off some 30+ infections. I have also run spyware scans but of course this has had no effect.
Goggle has so far been unable to help and I'm not very confident of being able to get this resolved.
Any ideas or help would be greatly appreciated!