Solved

corrupt files

Posted on 2014-03-19
17
219 Views
Last Modified: 2014-04-28
Hi guys,

one of the users has a machine that now has lots of corrupt files, maybe they were a different format but it looks as if they try to convert them every time it opens and they dont eventually open?

Is there anything that can be done to retrieve the info?

Here is an example
let-to-EBS2.doc
0
Comment
Question by:jonathanduane2010
  • 11
  • 6
17 Comments
 
LVL 11

Expert Comment

by:itguy565
ID: 39939438
That file has been encrypted. If I were a betting man then I would say that you are infected with Ransomware on that workstation. This looks alot like the format I saw when a client was infected with CryptoLocker.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939441
If that is the case then the files will be unrecoverable. Please scan that computer for virus and make sure it is disconnected from your network when you do it.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939442
If that is Cryptolocker it will not only effect that workstation but also any network share that workstation has access to.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:jonathanduane2010
ID: 39939449
its off the network.....

its a home user that never did backups..

the files are gone??
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939459
I wouldn't say that yet. You need to determine what virus has infected that system.

Download the following:
Rkill
combofix
malwarebytes
emsisoft Emergancy malware kit Free

If you run these on the workstation one of them is likely to tell you what the virus is. If it is cryptoLocker then the files are gone. If it is another type of Ransomeware some of the decryption keys are out on the web so you might be able to find a problem to decrypt the files.

The trick is first identify the source of the infection then you can determine if the files are recoverable or not.
0
 

Author Comment

by:jonathanduane2010
ID: 39939846
there doesnt seem to be any viruses on it.....
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939853
If that is the case then the files will most likely not be able to be recovered. can you post an instance of another file?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940003
In order to decrypt those files you need to know what program for virus encrypted it so that you can determine if the hash is available to decrypt them. If the program is not available or is not on that PC then the chances of encrypting those files are next to none.
0
 

Author Comment

by:jonathanduane2010
ID: 39940009
are they definitely encrypted???
0
 

Author Comment

by:jonathanduane2010
ID: 39940024
here is another file
Stationary2013.docx
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940039
yes, a regular word document looks like this:
PK     ! 3qNw  !   [Content_Types].xml ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ´TKKÃ@¾þ‡°WI¶õ "M{ðqÔ‚¼®›I»¸/v§¯ï¤iƒHÚ¨m/Í|¯fg0Z, DålÎúY%`¥+”æìmò”Þ²$¢°…ÐÎBÎÖÙhxy1˜¬=Ä„Ø6æl†èï8rFÄÌy°T)]0é¦Üù)¦À¯{½.E°˜b¥Á†ƒ(Å\cò¸¢ßu’ :²ä¾V^9Þk%R/lñÃ%Ý:dÄÜ`âLùxE Æ[ªÊ~ƒ-ï…ZTÉX|†P|éBÁ'熘Ùa™–œ®,•„†_©ùà$ÄH=7:k*F(»Ëß–CÎ#:ón4Wfœý£ã4¢•TÐôpo/"®5ÄÓw¢Öí¶D"œ#ÀV¹3Â>^Ï–â›xg’|'âCÃéc4ҝ!¶ Ôßãr#sÈ’›Ù§­þqíÝڨةÿÕÐ7Ž$}ôý ÚHõ®ê‰Þ{‹9ß,øá   ÿÿ PK     ! ™U~þ   á   _rels/.rels ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ¬’MK1†ï‚ÿ!̽;Û*"ÒÝ^DèMdýC2û›’©¶ÿÞ(Š.Ôµ‡3yçÉ3CÖ›½Õ+Ç4xWÁ²(A±ÓÞ®«à¹yXÜ‚JBÎÐèWpà›úòbýÄ#InJý’Ê—*èEÂbÒ=[J…ìòMë£%ÉÇØa ýBãª,o0þf@=aª­© nͨæø¶oÛAó½×;ËNŽ<¼v†Í"ÄÜeÈÓ¨†bÇRñú1—REF7Znô÷´hYȐjyÞç#1'´<犦‰›7
š¯òœÍõ9mô.‰·ÿ¬ç3ó­„“Y¿  ÿÿ PK     ! ßµL¶
  ¿   word/_rels/document.xml.rels ¢(  

Open in new window


Notice the content type at the top.

[Content_Types].xml

all word documents are going to show that string.. This document does not have that so the original code has been altered.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940050
When you open that document in a text editor you get the following:

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿÷¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿A¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¦¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿P¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿E¿¿¿¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿-¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿û¿¿¿¿¿¿¿a¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿;¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿[¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿>¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿µ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Å¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿g¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Open in new window


This is definitely not the original code associated with this document.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940063
Lets try that again. Here is a screenshot as EE doesn't let me paste the code.

stationary 2013
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940073
Other Experts Please Chime in.. We can use a second opinion but looking at these files I am 100% sure they have been encrypted.
0
 

Author Comment

by:jonathanduane2010
ID: 39940279
is there any way of paying the ransom so i can get the files decrypted????
0
 
LVL 11

Accepted Solution

by:
itguy565 earned 500 total points
ID: 39940294
If you knew the program that encrypted the files that might be possible. Because when you ran the AV software you were unable to determine what that program was this would not be possible.

You need to know the name of the ransomeware that caused the problem in order to proceed any further with ANY actions.
0
 

Author Comment

by:jonathanduane2010
ID: 39982781
thanks guys, I will look at that now
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will show you how to use shortcut menus in the Access run-time environment.
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question