repair file corruption from W32Sillydc worm

I have several computers that got hit with the W32.Sillydc worm or close cousin.  I believe the infection is cleared but the malware also corrupted many Excel & Word documents on a shared drive.  When the file is opened an error appears:  Word cannot start the converter mswrd632.wpc.  Another window pops up asking:  Select the encoding that makes your document readable.  I've tried nearly all encoding options and none makes the file readable.

Systems are Windows 7 Pro 64 bit and a few old Windows XP Pro 32bit.  

This happens on multiple systems, the same systems can open other documents just fine including the restored copies.  Simpler messages appears if opened on OS X running MS Office for MAC.

As happens there was one user has a folder that was not being backed up properly and need those files restored.  Can anyone provide step instructions to restore those files or might be willing to perform it as a paid service?

All file corruption happened at the time of the malware infection.

Will send corrupted files if requested.
tss-nmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DMTechGrooupCommented:
I have never used this particular software but have used their others.. they have a free trial to see if it may work..

http://www.diskinternals.com/office-recovery/
0
Davis McCarnOwnerCommented:
It was not W32.Sillydc that encrypted your files; but, rather, a secondary infection that came allong with it.  There are numerous decryptors written by the good guys to get your files back.  Without the name of the actual encryptor, it is fruitless to try decryption.
Google search the names of other detected infections and find the one which encrypts and holds the files for ransome.
0
btanExec ConsultantCommented:
As shared by experts, possibly ransomware or scareware doing, likewise, I also think sillydc (W32. Sality) may also be a culprit too. In the past, there is Worm.ExploreZip and Virut (file infector type). of course, they would likely pave the way out for other more to come in to perform sort of exploits and theft..But typically if they are of ransomware type, it will prompt you to get back if not there is no value for those attempts. I dont it is your case...

Nonetheless, can try to see if the "corrupted" has changed their file formating to some norm format using PEID (http://www.aldeid.com/wiki/PEiD) and ProtectedID (http://protectionid.owns.it/) as first cut (again).

Also coming back, quick recovery methods in the article belowcan come in handy (e.g. volume shadow ) for "corrupted" file with the tools
e.g. RECUVA, OffVis, Zip repair and S2 Services

http://www.techradar.com/news/software/applications/9-ways-to-recover-a-corrupt-microsoft-office-file-712429
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

tss-nmAuthor Commented:
One of the newer forms of Cyberlocker was used with the $300 ransom request.  I removed the malware last week.  So I'm not sure if I can even pay the ransom if the client chose to at this point.  Any thoughts from here?
0
btanExec ConsultantCommented:
cyberlocker is dealing with copyrights issue and face many legal issues (consider like pirate tools. I doubt you want to straddle into it unnecessarily (megaupload is shutdown by US govt).

There are more shakeup @ http://www.plagiarismtoday.com/2012/01/24/cyberlocker-shakeup-and-the-aftermath-for-you/

the question is why accede to the request even if it is alright and I believe there is means the other side will get back - knowing you are taken "offline". i really suggest clean rebuild and recover what is best possible in the last best known snapshot or restore point. Do think about reporting to local authorities to follow up
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tss-nmAuthor Commented:
Good advice but real solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.