Avatar of ssgchelp
ssgchelp asked on

All Excel Files on Server Share are Corrupt

I have a server running Windows 2008 R2. All clients are running Windows 7 with Office 2007 or Office 2010. All of a sudden, yesterday, the Excel files in a server shared folder have become corrupt. No other file type is corrupt in that folder or sub-folders. No Excel files in any other directory are corrupt. Just this one. When you try to open the file it says "The file you are trying to open, , is in a different format than specified by the file extension". If you say ok then it just shows a lot of garbage in the spreadsheet.

Quota management is off and VSS is not enabled.

Has anyone come across this issue before?
Anti-Virus AppsWindows Server 2008Microsoft Excel

Avatar of undefined
Last Comment
AvendraHD

8/22/2022 - Mon
redmondb

Hi, ssgchelp.

Can you post one of the files here, please? (Be careful about the sensitivity of any file that you pick - don't rely on the apparent corruption to hide information.)

Thanks,
Brian.
byundt

The issue may be related to your Anti-Virus software. Or it could be a policy issue that prevents opening old file formats (such as .xls). Both of the above have been found to cause the type of problem you describe.
ASKER
ssgchelp

Here is a file. I think it may have to do with a virus. I restored all Excel files in this directory from the previous night backup to a different location and all the files are fine.
acronyms.xls
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
redmondb

Thanks, ssgchelp.

It's not a spreadsheet - it just contains apparently random data. I say "apparently" - TrID couldn't identify it, SysInternal's Strings.exe finds nothing and it "looks" random. When I've seen this before, it's because a disk's pointers have been corrupted.

It's great that your backup is good, but I'd strongly recommend that you check the disk.

Regards,
Brian.
ASKER
ssgchelp

I'll do a chkdsk but wouldn't that affect files with other extensions on that drive? also, why wouldn't Excel files on the same drive that were in different folders be affected?
redmondb

ssgchelp,

A chkdsk would be good, but I'd also check logs.

"All Excel files in that folder" is a meaningful subset of your files. As such, it's entirely possible that someone/something should choose to process just them.

There are other possibilities. In my experience, they're just less likely...
(1) Malicious action by a user. (If they were smart enough to leave no trail, this seems a pretty crude act of sabotage.)
(2) Virus. Some viruses encrypt file contents and ask for payment to unencrypt them. Encrypted and random data look much the same.
(3) Someone was running an update and accidentally picked the wrong files. Actually, that's something else to check - any possibility that someone is working on (or using) file encryption?

Cheers,
Brian.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
CoffeePlease

ssgchelp, We also had this problem start happening on Thursday/Friday of last week.  I restored the affected directories from backup and they were fine.  I came back in this morning and users were reporting that the files were fine when they came in, but then shortly later became corrupt again.  My environment seems similar to yours.  We are also running symantec endpoint security for AV.  It now appears that my the directory is actively corrupting files.  I created an xls and copied it over, it opened fine remotely.  Then I closed and re-opened it again it was corrupt.  This is happening with all .xls, .xlsx, .doc, .docx, .rtf.  Text files and pdfs are completely fine.  I am wondering if this is a botched definition update from symantec?  Are you using them for AV also?

Edit:  I've uploaded an xls file that was fine before I copied it to the affected share.  I tried to open it again after xfer and this what is returned.  And again, it's only this directory on the share server.

Edit 2: If I move a working xls over to the share marked read-only it remains fine and opens without issue.  As soon as I remove the read-only attribute, it corrupts almost instantly.  AV comes up clean with latest set of definition and I don't see any suspicious processes running on the share server either.
IT-Comparisons.xls
redmondb

CoffeePlease,

Yes, your file looks as random as ssgchelp's.

Which version of SEP are you running?

Regards,
Brian.
CoffeePlease

Hi Brian,

Thanks for your response.  I am running SEP version 11.0.4014.26.

Thanks,
-John
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
redmondb

Thanks, John - it'll probably be good news if that's ssgchelp's version as well!
CoffeePlease

Hopefully.. that's why I joined up :)  I still find it bizarre that other shares on this server are unaffected (so far).  Thanks for the participation. Also, that it seems to have happened on the same timeline.
ASKER
ssgchelp

Hi. I do not use Symantec. I use Trend Micros Worry Free Business. Here is what I know about this issue after 3 days.

1) Problem affected only .xls and .doc files in shared network folders that had all users full control permissions.
2) .pdf, tif, jpg, all other file formats are fine.
3) shared directories that have .xls, .doc in them are fine but those directories don't have full control all user permissions.
4) 3 machines were infected with viruses, 5 others with malware/spyware.
5) no hard drive or volume errors in Windows logs. RAID management consistency check found no errors.

Given all this information, I'm concluding that it is a virus issue.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
redmondb

ssgchelp.

3 machines were infected with viruses, 5 others with malware/spyware.

!

Please click on the "Request Attention" link below your question and ask the Mods to add the appropriate Topic Area(s). In addition, please specify the viruses and malware that you've identified.

All the best,
Brian.
byundt

Microsoft just updated a Technical Note covering corruption of Office documents due to a ransom-ware virus attack "Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office files They suggest running Microsoft Safety Scanner to find and remove the virus. Your files are toast, however, and should be restored from a backup.
redmondb

Great catch, byundt.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
ssgchelp

Trend Micro found the following viruses on client machines.
TROJ_RANSOM.IQN
TROJ_SPNR.0EI713
TROJ_INJECTER.FV
TROJ_GEN.R0C5C0HHM13

Thank you all for your help.
redmondb

ssgchelp,

I wouldn't mind that the names are all different from the one which byundt mentioned - the same virus often has different names. I do think that it's significant that one of them includes the  word "Ransom". This is what I referred to earlier and is also the nature of the virus byundt mentioned.

Regards,
Brian.
ASKER CERTIFIED SOLUTION
CoffeePlease

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
AvendraHD

This hit my company last week.  You're going to have to find the infected desktop to keep it from happening.  This ransomware takes ownership of every file it can and changes the owner to the infected user.  Then it encrypts them and pushes for ransom.  So if you can find the infected machine, you can clean up the virus AND track down all infected files by owner name (we used Tree Size to find this data).  Then you can use previous versions or just restore from backup.  

What you will most likely find out is that this user is in a group that has full control over directories and that's how the virus was able to take control of files -- by using his credentials.  Good luck.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.