Solved

corrupt files

Posted on 2014-03-19
17
218 Views
Last Modified: 2014-04-28
Hi guys,

one of the users has a machine that now has lots of corrupt files, maybe they were a different format but it looks as if they try to convert them every time it opens and they dont eventually open?

Is there anything that can be done to retrieve the info?

Here is an example
let-to-EBS2.doc
0
Comment
Question by:jonathanduane2010
  • 11
  • 6
17 Comments
 
LVL 11

Expert Comment

by:itguy565
ID: 39939438
That file has been encrypted. If I were a betting man then I would say that you are infected with Ransomware on that workstation. This looks alot like the format I saw when a client was infected with CryptoLocker.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939441
If that is the case then the files will be unrecoverable. Please scan that computer for virus and make sure it is disconnected from your network when you do it.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939442
If that is Cryptolocker it will not only effect that workstation but also any network share that workstation has access to.
0
 

Author Comment

by:jonathanduane2010
ID: 39939449
its off the network.....

its a home user that never did backups..

the files are gone??
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939459
I wouldn't say that yet. You need to determine what virus has infected that system.

Download the following:
Rkill
combofix
malwarebytes
emsisoft Emergancy malware kit Free

If you run these on the workstation one of them is likely to tell you what the virus is. If it is cryptoLocker then the files are gone. If it is another type of Ransomeware some of the decryption keys are out on the web so you might be able to find a problem to decrypt the files.

The trick is first identify the source of the infection then you can determine if the files are recoverable or not.
0
 

Author Comment

by:jonathanduane2010
ID: 39939846
there doesnt seem to be any viruses on it.....
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39939853
If that is the case then the files will most likely not be able to be recovered. can you post an instance of another file?
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940003
In order to decrypt those files you need to know what program for virus encrypted it so that you can determine if the hash is available to decrypt them. If the program is not available or is not on that PC then the chances of encrypting those files are next to none.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:jonathanduane2010
ID: 39940009
are they definitely encrypted???
0
 

Author Comment

by:jonathanduane2010
ID: 39940024
here is another file
Stationary2013.docx
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940039
yes, a regular word document looks like this:
PK     ! 3qNw  !   [Content_Types].xml ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ´TKKÃ@¾þ‡°WI¶õ "M{ðqÔ‚¼®›I»¸/v§¯ï¤iƒHÚ¨m/Í|¯fg0Z, DålÎúY%`¥+”æìmò”Þ²$¢°…ÐÎBÎÖÙhxy1˜¬=Ä„Ø6æl†èï8rFÄÌy°T)]0é¦Üù)¦À¯{½.E°˜b¥Á†ƒ(Å\cò¸¢ßu’ :²ä¾V^9Þk%R/lñÃ%Ý:dÄÜ`âLùxE Æ[ªÊ~ƒ-ï…ZTÉX|†P|éBÁ'熘Ùa™–œ®,•„†_©ùà$ÄH=7:k*F(»Ëß–CÎ#:ón4Wfœý£ã4¢•TÐôpo/"®5ÄÓw¢Öí¶D"œ#ÀV¹3Â>^Ï–â›xg’|'âCÃéc4ҝ!¶ Ôßãr#sÈ’›Ù§­þqíÝڨةÿÕÐ7Ž$}ôý ÚHõ®ê‰Þ{‹9ß,øá   ÿÿ PK     ! ™U~þ   á   _rels/.rels ¢(                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  ¬’MK1†ï‚ÿ!̽;Û*"ÒÝ^DèMdýC2û›’©¶ÿÞ(Š.Ôµ‡3yçÉ3CÖ›½Õ+Ç4xWÁ²(A±ÓÞ®«à¹yXÜ‚JBÎÐèWpà›úòbýÄ#InJý’Ê—*èEÂbÒ=[J…ìòMë£%ÉÇØa ýBãª,o0þf@=aª­© nͨæø¶oÛAó½×;ËNŽ<¼v†Í"ÄÜeÈÓ¨†bÇRñú1—REF7Znô÷´hYȐjyÞç#1'´<犦‰›7
š¯òœÍõ9mô.‰·ÿ¬ç3ó­„“Y¿  ÿÿ PK     ! ßµL¶
  ¿   word/_rels/document.xml.rels ¢(  

Open in new window


Notice the content type at the top.

[Content_Types].xml

all word documents are going to show that string.. This document does not have that so the original code has been altered.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940050
When you open that document in a text editor you get the following:

¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿÷¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿A¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¦¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿P¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿E¿¿¿¿¿¿¿¿¿¿¿s¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿-¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿û¿¿¿¿¿¿¿a¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿;¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿[¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿>¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿µ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿Å¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿g¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿

Open in new window


This is definitely not the original code associated with this document.
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940063
Lets try that again. Here is a screenshot as EE doesn't let me paste the code.

stationary 2013
0
 
LVL 11

Expert Comment

by:itguy565
ID: 39940073
Other Experts Please Chime in.. We can use a second opinion but looking at these files I am 100% sure they have been encrypted.
0
 

Author Comment

by:jonathanduane2010
ID: 39940279
is there any way of paying the ransom so i can get the files decrypted????
0
 
LVL 11

Accepted Solution

by:
itguy565 earned 500 total points
ID: 39940294
If you knew the program that encrypted the files that might be possible. Because when you ran the AV software you were unable to determine what that program was this would not be possible.

You need to know the name of the ransomeware that caused the problem in order to proceed any further with ANY actions.
0
 

Author Comment

by:jonathanduane2010
ID: 39982781
thanks guys, I will look at that now
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EXCEL 2010 7 57
OneDrive for Office 365 Users 2 56
Which version of Microsoft Project does my client need? 3 72
MS Word Office 365 Mail Merge 2 48
Preface: When I started this series, I used the term CommandBars because that is the Office Object class that it discusses. Unfortunately, when Microsoft introduced Office 2007, they replaced the standard Commandbar menus with "The Ribbon" and rem…
This article descibes how to create a connection between Excel and SAP and how to move data from Excel to SAP or the other way around.
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
Learn how to make your own table of contents in Microsoft Word using paragraph styles and the automatic table of contents tool. We'll be using the paragraph styles in Word’s Home toolbar to help you create a table of contents. Type out your initial …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now