All Excel Files on Server Share are Corrupt

I have a server running Windows 2008 R2. All clients are running Windows 7 with Office 2007 or Office 2010. All of a sudden, yesterday, the Excel files in a server shared folder have become corrupt. No other file type is corrupt in that folder or sub-folders. No Excel files in any other directory are corrupt. Just this one. When you try to open the file it says "The file you are trying to open, , is in a different format than specified by the file extension". If you say ok then it just shows a lot of garbage in the spreadsheet.

Quota management is off and VSS is not enabled.

Has anyone come across this issue before?
ssgchelpAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

redmondbCommented:
Hi, ssgchelp.

Can you post one of the files here, please? (Be careful about the sensitivity of any file that you pick - don't rely on the apparent corruption to hide information.)

Thanks,
Brian.
0
byundtMechanical EngineerCommented:
The issue may be related to your Anti-Virus software. Or it could be a policy issue that prevents opening old file formats (such as .xls). Both of the above have been found to cause the type of problem you describe.
0
ssgchelpAuthor Commented:
Here is a file. I think it may have to do with a virus. I restored all Excel files in this directory from the previous night backup to a different location and all the files are fine.
acronyms.xls
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

redmondbCommented:
Thanks, ssgchelp.

It's not a spreadsheet - it just contains apparently random data. I say "apparently" - TrID couldn't identify it, SysInternal's Strings.exe finds nothing and it "looks" random. When I've seen this before, it's because a disk's pointers have been corrupted.

It's great that your backup is good, but I'd strongly recommend that you check the disk.

Regards,
Brian.
0
ssgchelpAuthor Commented:
I'll do a chkdsk but wouldn't that affect files with other extensions on that drive? also, why wouldn't Excel files on the same drive that were in different folders be affected?
0
redmondbCommented:
ssgchelp,

A chkdsk would be good, but I'd also check logs.

"All Excel files in that folder" is a meaningful subset of your files. As such, it's entirely possible that someone/something should choose to process just them.

There are other possibilities. In my experience, they're just less likely...
(1) Malicious action by a user. (If they were smart enough to leave no trail, this seems a pretty crude act of sabotage.)
(2) Virus. Some viruses encrypt file contents and ask for payment to unencrypt them. Encrypted and random data look much the same.
(3) Someone was running an update and accidentally picked the wrong files. Actually, that's something else to check - any possibility that someone is working on (or using) file encryption?

Cheers,
Brian.
0
CoffeePleaseCommented:
ssgchelp, We also had this problem start happening on Thursday/Friday of last week.  I restored the affected directories from backup and they were fine.  I came back in this morning and users were reporting that the files were fine when they came in, but then shortly later became corrupt again.  My environment seems similar to yours.  We are also running symantec endpoint security for AV.  It now appears that my the directory is actively corrupting files.  I created an xls and copied it over, it opened fine remotely.  Then I closed and re-opened it again it was corrupt.  This is happening with all .xls, .xlsx, .doc, .docx, .rtf.  Text files and pdfs are completely fine.  I am wondering if this is a botched definition update from symantec?  Are you using them for AV also?

Edit:  I've uploaded an xls file that was fine before I copied it to the affected share.  I tried to open it again after xfer and this what is returned.  And again, it's only this directory on the share server.

Edit 2: If I move a working xls over to the share marked read-only it remains fine and opens without issue.  As soon as I remove the read-only attribute, it corrupts almost instantly.  AV comes up clean with latest set of definition and I don't see any suspicious processes running on the share server either.
IT-Comparisons.xls
0
redmondbCommented:
CoffeePlease,

Yes, your file looks as random as ssgchelp's.

Which version of SEP are you running?

Regards,
Brian.
0
CoffeePleaseCommented:
Hi Brian,

Thanks for your response.  I am running SEP version 11.0.4014.26.

Thanks,
-John
0
redmondbCommented:
Thanks, John - it'll probably be good news if that's ssgchelp's version as well!
0
CoffeePleaseCommented:
Hopefully.. that's why I joined up :)  I still find it bizarre that other shares on this server are unaffected (so far).  Thanks for the participation. Also, that it seems to have happened on the same timeline.
0
ssgchelpAuthor Commented:
Hi. I do not use Symantec. I use Trend Micros Worry Free Business. Here is what I know about this issue after 3 days.

1) Problem affected only .xls and .doc files in shared network folders that had all users full control permissions.
2) .pdf, tif, jpg, all other file formats are fine.
3) shared directories that have .xls, .doc in them are fine but those directories don't have full control all user permissions.
4) 3 machines were infected with viruses, 5 others with malware/spyware.
5) no hard drive or volume errors in Windows logs. RAID management consistency check found no errors.

Given all this information, I'm concluding that it is a virus issue.
0
redmondbCommented:
ssgchelp.

3 machines were infected with viruses, 5 others with malware/spyware.

!

Please click on the "Request Attention" link below your question and ask the Mods to add the appropriate Topic Area(s). In addition, please specify the viruses and malware that you've identified.

All the best,
Brian.
0
byundtMechanical EngineerCommented:
Microsoft just updated a Technical Note covering corruption of Office documents due to a ransom-ware virus attack "Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office files They suggest running Microsoft Safety Scanner to find and remove the virus. Your files are toast, however, and should be restored from a backup.
0
redmondbCommented:
Great catch, byundt.
0
ssgchelpAuthor Commented:
Trend Micro found the following viruses on client machines.
TROJ_RANSOM.IQN
TROJ_SPNR.0EI713
TROJ_INJECTER.FV
TROJ_GEN.R0C5C0HHM13

Thank you all for your help.
0
redmondbCommented:
ssgchelp,

I wouldn't mind that the names are all different from the one which byundt mentioned - the same virus often has different names. I do think that it's significant that one of them includes the  word "Ransom". This is what I referred to earlier and is also the nature of the virus byundt mentioned.

Regards,
Brian.
0
CoffeePleaseCommented:
Well.. MS Safety Scan found and removed Win32\Crilock.a  on my TS profile store.  A user who accesses the affected data share was the host.  This appears to be a result of the virus.  Currently restoring back ups and I'll continue to monitor office files for the next few days.  Thanks again to ssghelp and the rest of you guys.

Edit:  Considering this resolved and being the result of a crilock.a infection.  Thanks everyone for your help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AvendraHDCommented:
This hit my company last week.  You're going to have to find the infected desktop to keep it from happening.  This ransomware takes ownership of every file it can and changes the owner to the infected user.  Then it encrypts them and pushes for ransom.  So if you can find the infected machine, you can clean up the virus AND track down all infected files by owner name (we used Tree Size to find this data).  Then you can use previous versions or just restore from backup.  

What you will most likely find out is that this user is in a group that has full control over directories and that's how the virus was able to take control of files -- by using his credentials.  Good luck.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.