?
Solved

corrupt files

Posted on 2014-03-19
17
Medium Priority
?
226 Views
Last Modified: 2014-04-28
Hi guys,

one of the users has a machine that now has lots of corrupt files, maybe they were a different format but it looks as if they try to convert them every time it opens and they dont eventually open?

Is there anything that can be done to retrieve the info?

Here is an example
let-to-EBS2.doc
0
Comment
Question by:jonathanduane2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
17 Comments
 
LVL 11

Expert Comment

by:itguy565
ID: 39939438
That file has been encrypted. If I were a betting man then I would say that you are infected with Ransomware on that workstation. This looks alot like the format I saw when a client was infected with CryptoLocker.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939441
If that is the case then the files will be unrecoverable. Please scan that computer for virus and make sure it is disconnected from your network when you do it.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939442
If that is Cryptolocker it will not only effect that workstation but also any network share that workstation has access to.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:jonathanduane2010
ID: 39939449
its off the network.....

its a home user that never did backups..

the files are gone??
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939459
I wouldn't say that yet. You need to determine what virus has infected that system.

Download the following:
Rkill
combofix
malwarebytes
emsisoft Emergancy malware kit Free

If you run these on the workstation one of them is likely to tell you what the virus is. If it is cryptoLocker then the files are gone. If it is another type of Ransomeware some of the decryption keys are out on the web so you might be able to find a problem to decrypt the files.

The trick is first identify the source of the infection then you can determine if the files are recoverable or not.
0
 

Author Comment

by:jonathanduane2010
ID: 39939846
there doesnt seem to be any viruses on it.....
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939853
If that is the case then the files will most likely not be able to be recovered. can you post an instance of another file?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940003
In order to decrypt those files you need to know what program for virus encrypted it so that you can determine if the hash is available to decrypt them. If the program is not available or is not on that PC then the chances of encrypting those files are next to none.
0
 

Author Comment

by:jonathanduane2010
ID: 39940009
are they definitely encrypted???
0
 

Author Comment

by:jonathanduane2010
ID: 39940024
here is another file
Stationary2013.docx
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940039
yes, a regular word document looks like this:
PK     ! 3qNw  !   [Content_Types].xml ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ´TKKÃ@¾þ‡°WI¶õ "M{ðqÔ‚¼®›I»¸/v§¯ï¤iƒHÚ¨m/Í|¯fg0Z, DålÎúY%`¥+”æìmò”Þ²$¢°…ÐÎBÎÖÙhxy1˜¬=Ä„Ø6æl†èï8rFÄÌy°T)]0é¦Üù)¦À¯{½.E°˜b¥Á†ƒ(Å\cò¸¢ßu’ :²ä¾V^9Þk%R/lñÃ%Ý:dÄÜ`âLùxE Æ[ªÊ~ƒ-ï…ZTÉX|†P|éBÁ'熘Ùa™–œ®,•„†_©ùà$ÄH=7:k*F(»Ëß–CÎ#:ón4Wfœý£ã4¢•TÐôpo/"®5ÄÓw¢Öí¶D"œ#ÀV¹3Â>^Ï–â›xg’|'âCÃéc4ҝ!¶ Ôßãr#sÈ’›Ù§­þqíÝڨةÿÕÐ7Ž$}ôý ÚHõ®ê‰Þ{‹9ß,øá   ÿÿ PK     ! ™U~þ   á   _rels/.rels ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ¬’MK1†ï‚ÿ!̽;Û*"ÒÝ^DèMdýC2û›’©¶ÿÞ(Š.Ôµ‡3yçÉ3CÖ›½Õ+Ç4xWÁ²(A±ÓÞ®«à¹yXÜ‚JBÎÐèWpà›úòbýÄ#InJý’Ê—*èEÂbÒ=[J…ìòMë£%ÉÇØa ýBãª,o0þf@=aª­© nͨæø¶oÛAó½×;ËNŽ<¼v†Í"ÄÜeÈÓ¨†bÇRñú1—REF7Znô÷´hYȐjyÞç#1'´<犦‰›7
š¯òœÍõ9mô.‰·ÿ¬ç3ó­„“Y¿  ÿÿ PK     ! ßµL¶
  ¿   word/_rels/document.xml.rels ¢(  

Open in new window


Notice the content type at the top.

[Content_Types].xml

all word documents are going to show that string.. This document does not have that so the original code has been altered.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940050
When you open that document in a text editor you get the following:

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿÷¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿A¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¦¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿P¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿E¿¿¿¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿-¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿û¿¿¿¿¿¿¿a¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿;¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿[¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿>¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿µ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Å¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿g¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Open in new window


This is definitely not the original code associated with this document.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940063
Lets try that again. Here is a screenshot as EE doesn't let me paste the code.

stationary 2013
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940073
Other Experts Please Chime in.. We can use a second opinion but looking at these files I am 100% sure they have been encrypted.
0
 

Author Comment

by:jonathanduane2010
ID: 39940279
is there any way of paying the ransom so i can get the files decrypted????
0
 
LVL 11

Accepted Solution

by:
itguy565 earned 1500 total points
ID: 39940294
If you knew the program that encrypted the files that might be possible. Because when you ran the AV software you were unable to determine what that program was this would not be possible.

You need to know the name of the ransomeware that caused the problem in order to proceed any further with ANY actions.
0
 

Author Comment

by:jonathanduane2010
ID: 39982781
thanks guys, I will look at that now
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes a method of delivering Word templates for use in merging Access data to Word documents, that requires no computer knowledge on the part of the recipient -- the templates are saved in table fields, and are extracted and install…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question