Solved

Unsupported format

Posted on 2013-12-21
45
361 Views
Last Modified: 2014-02-05
I have a server with a folder on it called cases.  One day for no apparent reason all the documents in this folder and sub folders are no longer accessible by all workstations.  These are Word 2003 and WordPerfect 9 documents.  The WordPerfect message is "unsupported format" and the Word message is unable to convert.  This only happens to all files in the main folder cases.  There are a few other folders on the server that have miscellaneous documents.  All of those documents are completely accessible with no error messages.  Help!!!!
0
Comment
Question by:captjcret
  • 16
  • 10
  • 6
  • +3
45 Comments
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
I'm not sure how many documents you have but can you right click one select properties and let us know the file extension name.
0
 

Author Comment

by:captjcret
Comment Utility
The wordperfect documents have the file extension .wpd and the word documents have .doc
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
0
 

Author Comment

by:captjcret
Comment Utility
The wplook program does not even recognize the files as Wordperfect files and word does not recognize the word files.
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
I have asked for more experts to chime in.
0
 

Author Comment

by:captjcret
Comment Utility
I discovered that their backup system has not been working since 12/15/2012, so they do not have a good backup.  I restored the old backup pf the cases folder into a different directory and was able to compare some files.  The same files I cannot open now, I can open in the new directory.  I copied two of the same files to a local directory on a PC.  The two files are the same name and the exact same size.  The older file I can open, the new file I cannot.
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
That almost sounds like someone got the CryptoLocker virus and didn't admit it.

Have you run a virus scanner on all the workstations or checked their logs?
0
 
LVL 42

Accepted Solution

by:
Davis McCarn earned 200 total points
Comment Utility
Ditto to jimpen's thought.  It may not specifically be CryptoLocker; but, there are about 60 trojans which encrypt everything (music, pictures, xls, doc, etc) the infected PC has access to.  If you can get the specific name of the trojan, most of them have decryptor utilities written by the good guys.  Some; though, use a key retrieved from the cybercriminals server and, if its one of them, you're scr*wed.

You need to find the infected PC!
0
 

Author Comment

by:captjcret
Comment Utility
Two of the four computers connected to the server have been given full virus scans.  Both computers came up with the Trojan generic35.mdd infection and they were removed.  These two particular computers are the ones that working in the CASES folder all the time.  I have them running full scans on the last two computers.
0
 
LVL 38

Assisted Solution

by:Jim P.
Jim P. earned 200 total points
Comment Utility
Googling Trojan generic35.mdd suggests that it usually comes packaged with other stuff.

What scanner are you using? I would suggest trying Malwarebytes.

And if you are using a subscription AV you might be able to open an incident with the AV company and upload some files to them for analysis. It might be faster. But considering this is Christmas eve you may not get much support, unfortunately.
0
 
LVL 42

Assisted Solution

by:Davis McCarn
Davis McCarn earned 200 total points
Comment Utility
Virtually every encrypting trojan has:
1) Demanded money to decrypt the files (FBI & Interpol variants want $300.00; Moneypak wants $60)
2) Completely disabled and broke most installed A/V products (Deleted files, corrupted settings, services, or devices)
3) Broken Windows Update and security related services.

I don't think you have found the PC!  Does anyone use RDP?

Roguekiller and TDSSkiller are two, very powerful, standalone removal tools:
http://tigzy.geekstogo.com/roguekiller.php
http://usa.kaspersky.com/downloads/tdsskiller
0
 

Author Comment

by:captjcret
Comment Utility
It is like the file associations are not working on all the documents.  I have googled this and there are file association repair tools but none that recognize a Wordperfect .WPD file.  WPlook does nothing because it does not recognize the file as a WP document.  I have a document that opens and the same document where it wont open.  Is there somebody I can send these two documents to analyze and compare?
0
 

Author Comment

by:captjcret
Comment Utility
I am using Remote Desktop to remotely administrate the server.  My computer is clean.
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
It is NOT file associations:
"The same files I cannot open now, I can open in the new directory"
The files are encrypted.
0
 

Author Comment

by:captjcret
Comment Utility
It does not matter where I copy the files too or where I open them from. If I download them to an offsite computer with WordPerfect I still cannot open them.
0
 
LVL 8

Expert Comment

by:chcw
Comment Utility
For word document, you can try some word data recovery tools such as

DataNumen Word Repair

at

http://www.datanumen.com/word-repair/

to see if it can recover your document.
0
 
LVL 16

Assisted Solution

by:joinaunion
joinaunion earned 100 total points
Comment Utility
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
You said earlier that when you restored older versions of the same files to a different folder they opened fine.  That eliminates file associations, any problems with Office,  and renders "recovery" apps useless.

I'm sorry; but occam's razor says something f'ed them up and the highest probability is a trojan.

If you right-click on a working DOC file, choose open with, then let me choose, and open it with Notepad, you will find lots of readable text.  The contents will have spaces between each letter and towards the end, will be the author, the version of word, and the template name (usually NORMAL.DOT)

Here is some from one of mine:

Davis McCarn                             Normal.dot        Davis McCarn          1         Microsoft Word 10.0 @    Øu

Try it on one which works and then on one which doesn't.  I'll bet the ones that don't are pure gobbldygook.

Again, if you can find the true name of the trojan that encrypted them, many of them can be fixed with a utility expressly for that trojan.
0
 

Author Comment

by:captjcret
Comment Utility
Actually when I copy the documents to any other location I still cannot open them.  I opened up one of the bad documents using notepad and I am not seeing anything but gobbldygook at the end of the document.  We are going to do another complete scan at all four workstations and see if we can identify a specific virus that could have caused this.
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
Did you try opening one of the files which works with Notepad so you could see the embedded text?
0
 
LVL 38

Assisted Solution

by:Jim P.
Jim P. earned 200 total points
Comment Utility
Even if you open an exe file with Notepad, you can usually find some sort of readable text in it, even if it is just the copyright note and date from XYZ Corp.

If you open the files with Notepad and have nothing but a scramble that sounds like one of two options. The most horrible one is some sort corruption due to a failing hard drive, controller or similar. The second, the virus, outside of the CryptoHacker virus, generally has a white hat resolution.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:captjcret
Comment Utility
In notepad viewing a word document that is not accessible I am seeing a bunch of zeroes and a few random control characters. Doesnt look good. The event viewer is showing a SAM error but it seems to me if it was the drive in the server it would effect a lot more folders off of the root than 1 large folder.  The shared folder on the server  is called data.  Under data there are about 20 folder of which one is CASES.  The only folder effected out of all the folders is CASES.
I ran Roguekiller and TDSSkiller and found only one workstation infected with IPUpdater which I removed.
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
In notepad viewing a word document that is not accessible I am seeing a bunch of zeroes and a few random control characters. Doesnt look good.

I'm going to have to agree. That sounds like some sort of "purposeful" encryption.

Without knowing which virus did it, we're throwing darts blindfolded. I would make several copies of the files as they sit now to an external drive and then just go through one by one and sample the decrypters.

I know, a tedious pain in the butt, but I don't have a better suggestion. And a post disaster recovery suggestion is check the backups, and really the recovery, every quarter at least.
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
Have you tried uninstalling Word&Wordperfect and reinstall?
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Have you tried uninstalling Word&Wordperfect and reinstall? --  joinaunion

That won't help. On your local workstation open Notepad; then do  a File --> Open and find a Word document. The text may not look pretty, but is generally understandable. Captjcret is the document he is looking like moistly binary with control characters.
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
Is Sharepoint running on the server?
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Hi captjcret,

I'm afraid the guys here are spot on. Everything you are describing matches up with one of many cryptolocker viruses.

You should scan systems to identify and remove the virus ASAP, but the corrupted files are lost and there isn't anything you can do with them.

Concentrate your time and effort on removing the virus and restoring the files from whatever backup source you have available.
0
 

Author Comment

by:captjcret
Comment Utility
We have scanned all workstations and restored what old back ups we have. We are still are missing a years worth of data that is corrupt.  I am an outside IT person that has not been asked for help for over a year or I would have caught the back up problem.  A correct backup routine with instructions has been put in place but this is only after the horse has escaped the barn. If there is no repair they have quite a bit of hard copy that can be scanned as a partial solution to data recovery.  I would still like to send a couple of files to somebody for analysis.  Are there any recommendations to accomplish this or is this not a policy of experts exchange?  Is  there one program over another that may have blocked this  attack better than another that we should purchase?
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Don't think we're able to post our e-mail addresses anywhere on here so you cant really send a file to us.
The discussion above about the file contents (via notepad etc) does confirm that the file is no longer in a Word format though. If you look through a file in notepad and cannot see anything other than random characters it is definitely not a word 2003 format.
If it was word 2007 onwards we may have other possibilities as the new versions are a different format to the older versions.

With regard to programs to block this stuff, viruses & malware are always evolving so no one program can always protect you. In practice, you are best to use a good AV product, kept upto date with regular scans, and a separate malware product to catch the stuff that doesn't count as a virus.
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
Do new documents become corrupted?

Are you able to attach one if it becomes corrupted or one that is not confidential?
0
 

Author Comment

by:captjcret
Comment Utility
Documents are no longer getting corrupted.

FLASH: The operator just emailed me:

http://malwaretips.com/blogs/antivirus-security-pro-removal/

I've been thinking back to what happened the morning things went haywire..before we started working on the fix of the computers.
This is the nane of the virus that was flashing red on Byron's computer and mine.  We share a lot of e-mails. Maybe it was attached to one, I don't know.  Anyway, I thought you might want to see this, just in case it helps.
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
I have removed hundreds of flavors of Antivirus Security Pro and; unfortunately, none of the encrypts the users files.
With the exception of some of the most recent flavors of the FBI virus, almost all of the encryptors have decryptors available.  The key; though, again is in correctly identifying the trojan which caused the encryption.
Last summer, I had a call from a local painting company.  They had become infected with an encryptor and before I was called their resident nerd had reinstalled Windows.  The reinstall did kill the trojan; but, also clobbered any way to find out what it was named.  I got to tell them that I knew of about 60 decryptor programs; but, it would take me about 10 minutes per to test each one......
(and Murphy demands it would have been the 60th that worked!)
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
Does that program show up in add/remove programs?

Do you see anything that says microsoft antivirus?

Since the documents no longer become corrupted it's pretty safe to say there is no virus anymore.

You said renameing the corrupted file did nothing?
0
 

Author Comment

by:captjcret
Comment Utility
Antivirus Security Pro does not show up.  I believe it may have been removed.  The only other installed items I see I am not familiar with is Browser Configuration Utility, IB Updater Server and Internet Sweetpacks.
Nothing more seems to becoming corrupt and renaming the files makes no difference.
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
Please run Malwarebyte's Chameleon. Download here,
https://www.malwarebytes.org/chameleon/
Direction's to run malwarebytes http://malwaretips.com/blogs/antivirus-security-pro-removal/
Create folder to extract to.
Reboot after scan and try documents again.

If that fails please boot into safe mode tap F8 while booting choose safe mode. Do your documents open normally in safe mode?
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Documents are no longer getting corrupted.
That's good news and suggests you have located and removed/disabled the virus/malware that caused it.


May be worth @DavisMcCarn posting a link to the various decrypters he is aware of as they are worth a try, but without something to undo what has been done, you will not be able to recover these files.
0
 
LVL 16

Expert Comment

by:joinaunion
Comment Utility
Any luck?
0
 

Author Comment

by:captjcret
Comment Utility
We are going to try some different scans today.
0
 

Author Comment

by:captjcret
Comment Utility
It looks like there is no fix for the damaged documents
0
 

Author Comment

by:captjcret
Comment Utility
I've requested that this question be deleted for the following reason:

It looks like the files are unrepairable
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
The advice from myself and other experts was valid and correct. Please do not delete the question as others may find these responses helpful in the same situation.
Please choose the responses that were most helpful or accurate.
0
 

Author Closing Comment

by:captjcret
Comment Utility
Thanks for all your help.  A lot of good info unfortunately the damage to the files seems to be permanent.  Many of the documents can be scanned from hard copy.
0
 
LVL 38

Expert Comment

by:Jim P.
Comment Utility
Many of the documents can be scanned from hard copy.

If you need to OCR any of the documents back to text I used the ABBYY FineReader before on pretty bad documents and it worked well. Just a suggestion.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This article will show you how to use shortcut menus in the Access run-time environment.
My experience with Windows 10 over a one year period and suggestions for smooth operation
This video walks the viewer through the process of creating Hyperlinks for the web and other documents. Select the "Insert" tab: Click "Hyperlink":  Type "http://" followed by a web address to reference a website or navigate to a document to ref…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now