Solved

corrupt files

Posted on 2014-03-19
17
223 Views
Last Modified: 2014-04-28
Hi guys,

one of the users has a machine that now has lots of corrupt files, maybe they were a different format but it looks as if they try to convert them every time it opens and they dont eventually open?

Is there anything that can be done to retrieve the info?

Here is an example
let-to-EBS2.doc
0
Comment
Question by:jonathanduane2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
17 Comments
 
LVL 11

Expert Comment

by:itguy565
ID: 39939438
That file has been encrypted. If I were a betting man then I would say that you are infected with Ransomware on that workstation. This looks alot like the format I saw when a client was infected with CryptoLocker.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939441
If that is the case then the files will be unrecoverable. Please scan that computer for virus and make sure it is disconnected from your network when you do it.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939442
If that is Cryptolocker it will not only effect that workstation but also any network share that workstation has access to.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jonathanduane2010
ID: 39939449
its off the network.....

its a home user that never did backups..

the files are gone??
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939459
I wouldn't say that yet. You need to determine what virus has infected that system.

Download the following:
Rkill
combofix
malwarebytes
emsisoft Emergancy malware kit Free

If you run these on the workstation one of them is likely to tell you what the virus is. If it is cryptoLocker then the files are gone. If it is another type of Ransomeware some of the decryption keys are out on the web so you might be able to find a problem to decrypt the files.

The trick is first identify the source of the infection then you can determine if the files are recoverable or not.
0
 

Author Comment

by:jonathanduane2010
ID: 39939846
there doesnt seem to be any viruses on it.....
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939853
If that is the case then the files will most likely not be able to be recovered. can you post an instance of another file?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940003
In order to decrypt those files you need to know what program for virus encrypted it so that you can determine if the hash is available to decrypt them. If the program is not available or is not on that PC then the chances of encrypting those files are next to none.
0
 

Author Comment

by:jonathanduane2010
ID: 39940009
are they definitely encrypted???
0
 

Author Comment

by:jonathanduane2010
ID: 39940024
here is another file
Stationary2013.docx
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940039
yes, a regular word document looks like this:
PK     ! 3qNw  !   [Content_Types].xml ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ´TKKÃ@¾þ‡°WI¶õ "M{ðqÔ‚¼®›I»¸/v§¯ï¤iƒHÚ¨m/Í|¯fg0Z, DålÎúY%`¥+”æìmò”Þ²$¢°…ÐÎBÎÖÙhxy1˜¬=Ä„Ø6æl†èï8rFÄÌy°T)]0é¦Üù)¦À¯{½.E°˜b¥Á†ƒ(Å\cò¸¢ßu’ :²ä¾V^9Þk%R/lñÃ%Ý:dÄÜ`âLùxE Æ[ªÊ~ƒ-ï…ZTÉX|†P|éBÁ'熘Ùa™–œ®,•„†_©ùà$ÄH=7:k*F(»Ëß–CÎ#:ón4Wfœý£ã4¢•TÐôpo/"®5ÄÓw¢Öí¶D"œ#ÀV¹3Â>^Ï–â›xg’|'âCÃéc4ҝ!¶ Ôßãr#sÈ’›Ù§­þqíÝڨةÿÕÐ7Ž$}ôý ÚHõ®ê‰Þ{‹9ß,øá   ÿÿ PK     ! ™U~þ   á   _rels/.rels ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ¬’MK1†ï‚ÿ!̽;Û*"ÒÝ^DèMdýC2û›’©¶ÿÞ(Š.Ôµ‡3yçÉ3CÖ›½Õ+Ç4xWÁ²(A±ÓÞ®«à¹yXÜ‚JBÎÐèWpà›úòbýÄ#InJý’Ê—*èEÂbÒ=[J…ìòMë£%ÉÇØa ýBãª,o0þf@=aª­© nͨæø¶oÛAó½×;ËNŽ<¼v†Í"ÄÜeÈÓ¨†bÇRñú1—REF7Znô÷´hYȐjyÞç#1'´<犦‰›7
š¯òœÍõ9mô.‰·ÿ¬ç3ó­„“Y¿  ÿÿ PK     ! ßµL¶
  ¿   word/_rels/document.xml.rels ¢(  

Open in new window


Notice the content type at the top.

[Content_Types].xml

all word documents are going to show that string.. This document does not have that so the original code has been altered.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940050
When you open that document in a text editor you get the following:

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿÷¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿A¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¦¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿P¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿E¿¿¿¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿-¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿û¿¿¿¿¿¿¿a¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿;¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿[¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿>¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿µ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Å¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿g¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Open in new window


This is definitely not the original code associated with this document.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940063
Lets try that again. Here is a screenshot as EE doesn't let me paste the code.

stationary 2013
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940073
Other Experts Please Chime in.. We can use a second opinion but looking at these files I am 100% sure they have been encrypted.
0
 

Author Comment

by:jonathanduane2010
ID: 39940279
is there any way of paying the ransom so i can get the files decrypted????
0
 
LVL 11

Accepted Solution

by:
itguy565 earned 500 total points
ID: 39940294
If you knew the program that encrypted the files that might be possible. Because when you ran the AV software you were unable to determine what that program was this would not be possible.

You need to know the name of the ransomeware that caused the problem in order to proceed any further with ANY actions.
0
 

Author Comment

by:jonathanduane2010
ID: 39982781
thanks guys, I will look at that now
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
The viewer will learn how to  create a slide that will launch other presentations in Microsoft PowerPoint. In the finished slide, each item launches a new PowerPoint presentation and when each is finished it automatically comes back to this slide: …
This Micro Tutorial well show you how to find and replace special characters in Microsoft Word. This is similar to carriage returns to convert columns of values from Microsoft Excel into comma separated lists.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question