bit-tech.net

Go Back   bit-tech.net Forums > Technology > Software

Reply
 
Thread Tools
Old 6th Jan 2017, 04:33   #1
led_zeppelinzoso
Multimodder
 
led_zeppelinzoso's Avatar
 
Join Date: Jul 2006
Location: Canada
Posts: 184
led_zeppelinzoso has yet to learn the way of the Dremel
Encrypted files?

Hello everyone

I havn't used this site since I was a teenager but have ran into a problem recently and need help.

Problem - Some of my files are showing up with green font and it's telling me they are encrypted and I can't open or copy them. I've never used encryption, never encrypted any of my files, I have no idea how this happened.

I've been running this computer for 8 years and been using the same license of windows 7 for the last 5. I format and reimage the computer one a year and when I did this earlier today I come to find many of my files like this, WTF is going on???

I've been researching it for hours and tried changing the file owner, tried deselecting the encryption option but it tells me I don't have the permission to do this. I'm really stuck here, these are After Effects files I need for work and my own computer is locking me out of using them...

They were created on this computer, never shared with another computer, I've never used encryption, I don't even have a password on my user account. What is going on???

Thanks
led_zeppelinzoso is offline   Reply With Quote
Old 6th Jan 2017, 07:43   #2
theshadow2001
[DELETE] means [DELETE]
 
theshadow2001's Avatar
 
Join Date: May 2012
Posts: 4,849
theshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyan
Sounds like you have a ransomware virus. It will slowly encrypt your files and then force you to pay a ransom to decrypt them.

First thing I would do is backup anything important that is not currently encrypted. It's probably best to do this without running your OS. Perhaps using a Linux live image. Alternatively you might be able to put it in a safe mode level that would allow you to run the OS without the encryption program running. But I don't know how or if that would work.

Naturally running the OS with this kind of malware will allow it to further encrypt your files. So avoid doing that if possible.
theshadow2001 is offline   Reply With Quote
Old 6th Jan 2017, 08:04   #3
David
RIP Tel
 
David's Avatar
 
Join Date: Apr 2009
Location: Somewhere over the rainbow, weigh a pie
Posts: 11,260
David is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming SaiyanDavid is a Super Spamming Saiyan
After you have backed up your data (on separate media to any other backups you may already have), you might want to let the ransomware run it's course, if you can afford to live wiyhout your PC for a while - when it finishes, it will throw up a notice to tell you how screwed you are and where to send the ransom - not helpful in itself, but you may learn which ransomware it is, because some have already had keys released.

Needless to say, do not connect any other devices to your PC while it is up and running the encryption.
__________________
Before you judge a man, walk a mile in his shoes; after that, who cares?! He's a mile away and you've got his shoes!

Main rig - 6700K|Z170|32GB|256GB M.2|500GB SSDs|8TB NAS|GTX 980|3007WFP-HC|Parvum S2.0
David is online now   Reply With Quote
Old 6th Jan 2017, 09:04   #4
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 8,365
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
I disagree; this doesn't sound like ransomware. Ransomware uses its own encryption to lock you out from your files, whereas the files being listed in green means that Windows' built-in encryption has locked them. I don't know of any ransomware that works that way.

Try launching a privileged Explorer session or logging in under the administrator account directly, right-clicking on the files and deselecting the encryption option that way.

Assuming you haven't encrypted the files and forgotten about it, there are a few glitches that can make Windows mistakenly think files are encrypted - the main one being using Windows' built in compression software to extract a zip archive create on a macOS machine.

You can also try disabling encryption altogether by creating the registry key NtfsDisableEncryption in HKLM\System\CurrentControlSet\Control\FileSystem with a value of 1. If that doesn't work, try looking for shadow copies of the files pre-encryption using Shadow Explorer - or just restore from backup. You do have backups, right?

Oh, and check the hard drive's SMART stats; assuming your drive is eight years old, it's entirely possible it's actually corrupting stuff and Windows just thinks they're encrypted.
__________________
Author, Raspberry Pi User Guide Fourth Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me! | Need a VPN? Try AirVPN!
Gareth Halfacree is offline   Reply With Quote
Old 6th Jan 2017, 11:33   #5
theshadow2001
[DELETE] means [DELETE]
 
theshadow2001's Avatar
 
Join Date: May 2012
Posts: 4,849
theshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyantheshadow2001 is a Super Spamming Saiyan
You're probably right Gareth but I think an offline backup is still a
prudent first step.
theshadow2001 is offline   Reply With Quote
Old 6th Jan 2017, 11:36   #6
Gareth Halfacree
WIIGII!
bit-tech Staff
 
Gareth Halfacree's Avatar
 
Join Date: Dec 2007
Location: Bradford, UK
Posts: 8,365
Gareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming SaiyanGareth Halfacree is a Super Spamming Saiyan
Quote:
Originally Posted by theshadow2001 View Post
You're probably right Gareth but I think an offline backup is still a
prudent first step.
Oh, aye: first rule of faffing around with important files is to faff around with a *duplicate* of the important files!
__________________
Author, Raspberry Pi User Guide Fourth Edition, 21 Brilliant Projects for the Raspberry Pi and more | gareth.halfacree.co.uk | twitter | keybase.io
bit-tech news correspondent, Custom PC columnist, other things to other people
I'm a filthy freelancer! Hire me! | Need a VPN? Try AirVPN!
Gareth Halfacree is offline   Reply With Quote
Old 2nd Mar 2017, 12:56   #7
killingit
Minimodder
 
Join Date: Feb 2017
Posts: 35
killingit has yet to learn the way of the Dremel
What antivirus/antimalware software would you guys recommend to combat this so-called "Ransomware"?
killingit is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 07:58.
Powered by: vBulletin Version 3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.