Solved

Files in One SubFolder of 100's won't open and say corrupt

Posted on 2016-07-21
28
13 Views
Last Modified: 2016-09-21
I have server 2012 R2 set up as an APP server and my remote RWW is set up on that server.  It is also our file server.  We have 100's of folders set up with 1,000's of files on it.

One subfolder which has been working in the past, suddenly every file type in it .doc, .docx, .xls, .xlsx, .pdf etc won't open or when it opens, it opens with wing ding characters and the program says can't find file type or file is corrupt.  See attached.  

Every other sub folder and folder and all of their files work perfectly.   I restored this particular sub folders files to two weeks ago, and overwrote the files so I knew it was a new file from the back up and I get the same error.

Any ideas I'm lost.  Thanks
Capture.JPG
0
Comment
Question by:FosterThomas
  • 14
  • 13
28 Comments
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723015
Sounds like you might have gotten crypto locker.

Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?
1
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723025
Sounds like you might have gotten crypto locker.

 Are there any rogue files present that say anything about locky or HELP_DECRYPT (or similar)?

No, no random file names.  All the files in this folder are all 2015 and older for date they were saved, and there is no files with a current date added.    

I've had individual computers hit with crypto locker before but never the server, and normally when you tried to open one of the files on the computer it popped up a webpage with a phone number they wanted you to call.    These files just seem to be corrupt but there are no odd files in the folder and they are all older files that are never edited, just opened to use for reference then closed.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723031
Have these files been used since you were hit with cryptolocker?  How were files recovered?  And were the users who were affected able to access these files through a mapped drive? (if the files were not restored and continued to be backed up, your backups will also be corrupt.)
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723039
All the files are kept on the server and users access them through a mapped drive or a short cut on their desk top.   So when they few computers I've had were hit with crypto locker, none of the server files were corrupted only local files on the users computer were affected.  It's been at least a year since the last crypto locker infected computer and these files in this particular sub folder have been accessed many times and worked fine since then.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723072
What type of backup did you restore from?  Are there any available shadow copies on the server side?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723078
The back up software we use is cause Evault and back ups to an off site facility.  I restored it from 14 days ago, and I know as of Monday these files were accessed, so 14 days ago the files would have been fine if they worked on Monday.

I am running every scan I think of right now.  Trend, malware bytes, Norton power eraser and they find absolutely nothing.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723104
If it were an encrypting virus, they tend to disappear so the key can't be reversed from it.  Have you compared the checksum of the files in the backup v. the files on the server?  If they match, your backups are also corrupted.  Is 14 days the farthest back you can go?  Did you see if you had shadow copy versions from Monday when they were working?

The fact that they are all in one folder, and all different types of files really indicates something purposefully acted on that folder.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723142
The back up folder matches exactly from what I can see.  However the files worked Monday just fine, and the back up I restored was 14 days ago so we know that back up happened before encryption if that's what the issue is happened.  

I don't know how to look for a shadow copy.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723151
On the file server, right click the folder and go to the Previous Versions tab.  Available shadow copies will be listed there (I assume shadow copies are enabled on your file shares on the server, if they aren't you won't see any available copies.)
ee_prevver.png
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723163
There are a ton of shadow copies dating back to early June, should I restore to a random one?
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723169
Yeah, grab one but to test I'd click 'Copy...' and put it somewhere else.  If the file looks good, you could restore the folder from that date.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723173
Choose one from 6/24, because I have an email from an employee on that date saying they found the file they needed in that folder, so I know it was working then.

Copied to desktop and same issue .
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723188
And the user confirmed that they were able to open the file and work on it?

This cmd tool https://www.microsoft.com/en-us/download/details.aspx?id=11533 allows you to generate a checksum on files.  Can you compare the checksums to see if they are the same?  (the original, the offsite backup, and the shadow copy)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:FosterThomas
ID: 41723190
yes the employee was able to open and work on the file

I will run the tool now.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723198
Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

How was the error in the file discovered?  Was it by the same person who emailed on 6/24?
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723201
that tool doesn't work with windows 10 or server 2012 which are the only computers I can get on from where I am right now.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723205
The error was discovered yesterday when the same employee tried to open a different copy on the shared drive under that same sub folder.    She then emailed me to see what was wrong with that file, in which I was stumped and I ended up trying the other files in that folder and found the same issue.  I think went through every other sub folder and verified that all other sub folders are functioning correctly.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723219
Did you have a copy of the file prior to 6/24 in shadow copies or in your backup?

The tool will work on 2012 (it's a cmd utility so you need to use it in an admin command prompt.)  Browse to the extracted location and run fciv.exe -add <pathtofile>

Has the user had any problems with documents on their individual computer?
checksum.png
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723234
No the user is having no problems with files on their computer or any other files at all, I also ran a scan on their computer, even though many users access this particular sub folder.

The shadow copies go back to 6/19 I copied that, being the oldest one and still same issue, I copied Monday's shadow copy because I know it worked on Monday fine and same issue.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723251
There are no differences between the original, shadow copy from 6/19 or nightly off site back up from 6/19
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723271
If the checksum is the same for all three then the file was corrupt when it was being backed up all the way back prior.  The same applies to your offsite, the backup you have there is also the corrupted version.  Being offsite, nothing can go change that file.

The checksum indicates that it is an exact copy- for example if you have a normal file and it becomes corrupted, the checksum WILL be different.  The same is true, if it were encrypted the checksum would be different.

Since folders in Windows are more metaphorical than physical, this folder was probably encrypted or had some utility run against it by a user that broke the files.

But if your backups, local and remote, have the same checksum they're all the same corrupt file that's been backed up for so long.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723281
I understand everything you are saying and it all makes sense and I agree with you, however these files were accessed on Monday, by multiple people one being myself in which I know I accessed the file from the server directly
0
 
LVL 12

Accepted Solution

by:
Dustin Saunders earned 500 total points
ID: 41723334
Then at this point I would suggest reaching out to evault and asking why the checksum for the file prior to Monday matches the broken file.  Shadow copies can become broken like that through cryptolocker, but your offsite can't be affected by that.  But I suspect you'll get the same answer from them, and the chance two hashes collide is astronomical, and not the explanation.

Try the 3x checksum verification on a few other files- and if the offsite, the original, and the shadow copy all match, the files themselves are corrupted, and have been backing up corrupted for x amount of time.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723341
not sure if this adds anything but I just noticed that all picture files in the folder work fine, it's only pdf's and office files that aren't functioning correctly
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723359
Sometimes you can get those issues from trusted locations, but the end is the same.  If you go to evault, download the offsite copy to another PC and it has the same problem- it's not an issue with location on the server, sector on the file store, permission on the server, etc.- it's the file.

Being that it only seems to have hit office and pdf files sounds like a variant of crypto we've encountered before where it only encrypts those files in folders as users access them.
0
 
LVL 1

Author Comment

by:FosterThomas
ID: 41723401
I  just found our original back to evault from august of 2014.   I restored that same folder from them, again these files haven't changed they are there strictly for reference, they are never resaved or updated so it's the same exact files.  I restored them from that and the same exact issue.

For two years these files have been used.  This has to be something other than crypto locker or some other virus.    This has to be a permission issue that has changed or something.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41723450
And the same thing if you restore the file to a folder on your local PC, not the server- correct?
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Docker for Windows 2016 5 27
Allow Local User to Log On FTP 8 33
windows disk management 5 65
WSUS - Win 2012 6 23
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to make your own table of contents in Microsoft Word using paragraph styles and the automatic table of contents tool. We'll be using the paragraph styles in Word’s Home toolbar to help you create a table of contents. Type out your initial …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now