Solved

Files in One SubFolder of 100's won't open and say corrupt

Posted on 2016-07-21
28
17 Views
Last Modified: 2016-09-21
I have server 2012 R2 set up as an APP server and my remote RWW is set up on that server.  It is also our file server.  We have 100's of folders set up with 1,000's of files on it.

One subfolder which has been working in the past, suddenly every file type in it .doc, .docx, .xls, .xlsx, .pdf etc won't open or when it opens, it opens with wing ding characters and the program says can't find file type or file is corrupt.  See attached.  

Every other sub folder and folder and all of their files work perfectly.   I restored this particular sub folders files to two weeks ago, and overwrote the files so I knew it was a new file from the back up and I get the same error.

Any ideas I'm lost.  Thanks
Capture.JPG
0
Comment
Question by:FosterThomas
  • 14
  • 13
28 Comments
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723015
Sounds like you might have gotten crypto locker.

Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?
1
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723025
Sounds like you might have gotten crypto locker.

 Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?

No, no random file names.  All the files in this folder are all 2015 and older for date they were saved, and there is no files with a current date added.    

I've had individual computers hit with crypto locker before but never the server, and normally when you tried to open one of the files on the computer it popped up a webpage with a phone number they wanted you to call.    These files just seem to be corrupt but there are no odd files in the folder and they are all older files that are never edited, just opened to use for reference then closed.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723031
Have these files been used since you were hit with cryptolocker?  How were files recovered?  And were the users who were affected able to access these files through a mapped drive? (if the files were not restored and continued to be backed up, your backups will also be corrupt.)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:FosterThomas
ID: 41723039
All the files are kept on the server and users access them through a mapped drive or a short cut on their desk top.   So when they few computers I've had were hit with crypto locker, none of the server files were corrupted only local files on the users computer were affected.  It's been at least a year since the last crypto locker infected computer and these files in this particular sub folder have been accessed many times and worked fine since then.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723072
What type of backup did you restore from?  Are there any available shadow copies on the server side?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723078
The back up software we use is cause Evault and back ups to an off site facility.  I restored it from 14 days ago, and I know as of Monday these files were accessed, so 14 days ago the files would have been fine if they worked on Monday.

I am running every scan I think of right now.  Trend, malware bytes, Norton power eraser and they find absolutely nothing.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723104
If it were an encrypting virus, they tend to disappear so the key can't be reversed from it.  Have you compared the checksum of the files in the backup v. the files on the server?  If they match, your backups are also corrupted.  Is 14 days the farthest back you can go?  Did you see if you had shadow copy versions from Monday when they were working?

The fact that they are all in one folder, and all different types of files really indicates something purposefully acted on that folder.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723142
The back up folder matches exactly from what I can see.  However the files worked Monday just fine, and the back up I restored was 14 days ago so we know that back up happened before encryption if that's what the issue is happened.  

I don't know how to look for a shadow copy.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723151
On the file server, right click the folder and go to the Previous Versions tab.  Available shadow copies will be listed there (I assume shadow copies are enabled on your file shares on the server, if they aren't you won't see any available copies.)
ee_prevver.png
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723163
There are a ton of shadow copies dating back to early June, should I restore to a random one?
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723169
Yeah, grab one but to test I'd click 'Copy...' and put it somewhere else.  If the file looks good, you could restore the folder from that date.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723173
Choose one from 6/24, because I have an email from an employee on that date saying they found the file they needed in that folder, so I know it was working then.

Copied to desktop and same issue .
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723188
And the user confirmed that they were able to open the file and work on it?

This cmd tool https://www.microsoft.com/en-us/download/details.aspx?id=11533 allows you to generate a checksum on files.  Can you compare the checksums to see if they are the same?  (the original, the offsite backup, and the shadow copy)
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723190
yes the employee was able to open and work on the file

I will run the tool now.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723198
Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

How was the error in the file discovered?  Was it by the same person who emailed on 6/24?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723201
that tool doesn't work with windows 10 or server 2012 which are the only computers I can get on from where I am right now.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723205
The error was discovered yesterday when the same employee tried to open a different copy on the shared drive under that same sub folder.    She then emailed me to see what was wrong with that file, in which I was stumped and I ended up trying the other files in that folder and found the same issue.  I think went through every other sub folder and verified that all other sub folders are functioning correctly.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723219
Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

The tool will work on 2012 (it's a cmd utility so you need to use it in an admin command prompt.)  Browse to the extracted location and run fciv.exe -add <pathtofile>

Has the user had any problems with documents on their individual computer?
checksum.png
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723234
No the user is having no problems with files on their computer or any other files at all, I also ran a scan on their computer, even though many users access this particular sub folder.

The shadow copies go back to 6/19 I copied that, being the oldest one and still same issue, I copied Monday's shadow copy because I know it worked on Monday fine and same issue.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723251
There are no differences between the original, shadow copy from 6/19 or nightly off site back up from 6/19
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723271
If the checksum is the same for all three then the file was corrupt when it was being backed up all the way back prior.  The same applies to your offsite, the backup you have there is also the corrupted version.  Being offsite, nothing can go change that file.

The checksum indicates that it is an exact copy- for example if you have a normal file and it becomes corrupted, the checksum WILL be different.  The same is true, if it were encrypted the checksum would be different.

Since folders in Windows are more metaphorical than physical, this folder was probably encrypted or had some utility run against it by a user that broke the files.

But if your backups, local and remote, have the same checksum they're all the same corrupt file that's been backed up for so long.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723281
I understand everything you are saying and it all makes sense and I agree with you, however these files were accessed on Monday, by multiple people one being myself in which I know I accessed the file from the server directly
0
 
LVL 12

Accepted Solution

by:
Dustin Saunders earned 500 total points
ID: 41723334
Then at this point I would suggest reaching out to evault and asking why the checksum for the file prior to Monday matches the broken file.  Shadow copies can become broken like that through cryptolocker, but your offsite can't be affected by that.  But I suspect you'll get the same answer from them, and the chance two hashes collide is astronomical, and not the explanation.

Try the 3x checksum verification on a few other files- and if the offsite, the original, and the shadow copy all match, the files themselves are corrupted, and have been backing up corrupted for x amount of time.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723341
not sure if this adds anything but I just noticed that all picture files in the folder work fine, it's only pdf's and office files that aren't functioning correctly
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723359
Sometimes you can get those issues from trusted locations, but the end is the same.  If you go to evault, download the offsite copy to another PC and it has the same problem- it's not an issue with location on the server, sector on the file store, permission on the server, etc.- it's the file.

Being that it only seems to have hit office and pdf files sounds like a variant of crypto we've encountered before where it only encrypts those files in folders as users access them.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723401
I  just found our original back to evault from august of 2014.   I restored that same folder from them, again these files haven't changed they are there strictly for reference, they are never resaved or updated so it's the same exact files.  I restored them from that and the same exact issue.

For two years these files have been used.  This has to be something other than crypto locker or some other virus.    This has to be a permission issue that has changed or something.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723450
And the same thing if you restore the file to a folder on your local PC, not the server- correct?
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question