Solved

Files in One SubFolder of 100's won't open and say corrupt

Posted on 2016-07-21
28
23 Views
Last Modified: 2016-09-21
I have server 2012 R2 set up as an APP server and my remote RWW is set up on that server.  It is also our file server.  We have 100's of folders set up with 1,000's of files on it.

One subfolder which has been working in the past, suddenly every file type in it .doc, .docx, .xls, .xlsx, .pdf etc won't open or when it opens, it opens with wing ding characters and the program says can't find file type or file is corrupt.  See attached.  

Every other sub folder and folder and all of their files work perfectly.   I restored this particular sub folders files to two weeks ago, and overwrote the files so I knew it was a new file from the back up and I get the same error.

Any ideas I'm lost.  Thanks
Capture.JPG
0
Comment
Question by:FosterThomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 13
28 Comments
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723015
Sounds like you might have gotten crypto locker.

Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?
1
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723025
Sounds like you might have gotten crypto locker.

 Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?

No, no random file names.  All the files in this folder are all 2015 and older for date they were saved, and there is no files with a current date added.    

I've had individual computers hit with crypto locker before but never the server, and normally when you tried to open one of the files on the computer it popped up a webpage with a phone number they wanted you to call.    These files just seem to be corrupt but there are no odd files in the folder and they are all older files that are never edited, just opened to use for reference then closed.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723031
Have these files been used since you were hit with cryptolocker?  How were files recovered?  And were the users who were affected able to access these files through a mapped drive? (if the files were not restored and continued to be backed up, your backups will also be corrupt.)
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 1

Author Comment

by:FosterThomas
ID: 41723039
All the files are kept on the server and users access them through a mapped drive or a short cut on their desk top.   So when they few computers I've had were hit with crypto locker, none of the server files were corrupted only local files on the users computer were affected.  It's been at least a year since the last crypto locker infected computer and these files in this particular sub folder have been accessed many times and worked fine since then.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723072
What type of backup did you restore from?  Are there any available shadow copies on the server side?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723078
The back up software we use is cause Evault and back ups to an off site facility.  I restored it from 14 days ago, and I know as of Monday these files were accessed, so 14 days ago the files would have been fine if they worked on Monday.

I am running every scan I think of right now.  Trend, malware bytes, Norton power eraser and they find absolutely nothing.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723104
If it were an encrypting virus, they tend to disappear so the key can't be reversed from it.  Have you compared the checksum of the files in the backup v. the files on the server?  If they match, your backups are also corrupted.  Is 14 days the farthest back you can go?  Did you see if you had shadow copy versions from Monday when they were working?

The fact that they are all in one folder, and all different types of files really indicates something purposefully acted on that folder.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723142
The back up folder matches exactly from what I can see.  However the files worked Monday just fine, and the back up I restored was 14 days ago so we know that back up happened before encryption if that's what the issue is happened.  

I don't know how to look for a shadow copy.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723151
On the file server, right click the folder and go to the Previous Versions tab.  Available shadow copies will be listed there (I assume shadow copies are enabled on your file shares on the server, if they aren't you won't see any available copies.)
ee_prevver.png
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723163
There are a ton of shadow copies dating back to early June, should I restore to a random one?
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723169
Yeah, grab one but to test I'd click 'Copy...' and put it somewhere else.  If the file looks good, you could restore the folder from that date.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723173
Choose one from 6/24, because I have an email from an employee on that date saying they found the file they needed in that folder, so I know it was working then.

Copied to desktop and same issue .
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723188
And the user confirmed that they were able to open the file and work on it?

This cmd tool https://www.microsoft.com/en-us/download/details.aspx?id=11533 allows you to generate a checksum on files.  Can you compare the checksums to see if they are the same?  (the original, the offsite backup, and the shadow copy)
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723190
yes the employee was able to open and work on the file

I will run the tool now.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723198
Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

How was the error in the file discovered?  Was it by the same person who emailed on 6/24?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723201
that tool doesn't work with windows 10 or server 2012 which are the only computers I can get on from where I am right now.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723205
The error was discovered yesterday when the same employee tried to open a different copy on the shared drive under that same sub folder.    She then emailed me to see what was wrong with that file, in which I was stumped and I ended up trying the other files in that folder and found the same issue.  I think went through every other sub folder and verified that all other sub folders are functioning correctly.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723219
Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

The tool will work on 2012 (it's a cmd utility so you need to use it in an admin command prompt.)  Browse to the extracted location and run fciv.exe -add <pathtofile>

Has the user had any problems with documents on their individual computer?
checksum.png
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723234
No the user is having no problems with files on their computer or any other files at all, I also ran a scan on their computer, even though many users access this particular sub folder.

The shadow copies go back to 6/19 I copied that, being the oldest one and still same issue, I copied Monday's shadow copy because I know it worked on Monday fine and same issue.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723251
There are no differences between the original, shadow copy from 6/19 or nightly off site back up from 6/19
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723271
If the checksum is the same for all three then the file was corrupt when it was being backed up all the way back prior.  The same applies to your offsite, the backup you have there is also the corrupted version.  Being offsite, nothing can go change that file.

The checksum indicates that it is an exact copy- for example if you have a normal file and it becomes corrupted, the checksum WILL be different.  The same is true, if it were encrypted the checksum would be different.

Since folders in Windows are more metaphorical than physical, this folder was probably encrypted or had some utility run against it by a user that broke the files.

But if your backups, local and remote, have the same checksum they're all the same corrupt file that's been backed up for so long.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723281
I understand everything you are saying and it all makes sense and I agree with you, however these files were accessed on Monday, by multiple people one being myself in which I know I accessed the file from the server directly
0
 
LVL 13

Accepted Solution

by:
Dustin Saunders earned 500 total points
ID: 41723334
Then at this point I would suggest reaching out to evault and asking why the checksum for the file prior to Monday matches the broken file.  Shadow copies can become broken like that through cryptolocker, but your offsite can't be affected by that.  But I suspect you'll get the same answer from them, and the chance two hashes collide is astronomical, and not the explanation.

Try the 3x checksum verification on a few other files- and if the offsite, the original, and the shadow copy all match, the files themselves are corrupted, and have been backing up corrupted for x amount of time.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723341
not sure if this adds anything but I just noticed that all picture files in the folder work fine, it's only pdf's and office files that aren't functioning correctly
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723359
Sometimes you can get those issues from trusted locations, but the end is the same.  If you go to evault, download the offsite copy to another PC and it has the same problem- it's not an issue with location on the server, sector on the file store, permission on the server, etc.- it's the file.

Being that it only seems to have hit office and pdf files sounds like a variant of crypto we've encountered before where it only encrypts those files in folders as users access them.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723401
I  just found our original back to evault from august of 2014.   I restored that same folder from them, again these files haven't changed they are there strictly for reference, they are never resaved or updated so it's the same exact files.  I restored them from that and the same exact issue.

For two years these files have been used.  This has to be something other than crypto locker or some other virus.    This has to be a permission issue that has changed or something.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41723450
And the same thing if you restore the file to a folder on your local PC, not the server- correct?
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question