Virus has encrypted all my important files! help!

By Agent_of_Knowledge
in Microsoft (Windows)

 Share

Recommended Posts

Experienced

Agent_of_Knowledge

Posted
Posted

Yesterday I had windows 2000 installed and was getting weird activity on my computer. I started norton anti-virus and ran a complete system scan. Norton found viruses, and they were all deleted. I have all my files backedup to my other partition(family pics, phone numbers of friends, music files, etc....) and ready to format my partition to install windows xp. After I installed xp, I load all the files I backed up, low and behold, most of the files were green! They some how got encrypted while I was backing them up. And now I have xp and can't access them! :angry: Please guys, I can't lose these files! There has to be a way to open them or to crack them. Anything will do. Please post any ideas ya'll might have. :(

Thank you very much.

Cheers!

Link to comment
Share on other sites
Experienced

Agent_of_Knowledge

Posted
  • Author
Posted

OMG! Heck no......There has to be a way dang it! Those are important and priceless family photos and such! "What's made by humans, is crackable by humans." If ANYONE has any idea what I can do, no matter it be legal or illegal pm please. I need to recover those files. Any Help would be appreciated! I don't have any CDRS and I had no choice the virus was spreading fast.....I'm glad I saved what I could.

Thanks in advance.

Cheers!

Link to comment
Share on other sites
Community Regular

GAM

Posted
Posted
I have all my files backedup to my other partition

A backup to a different partition is not a backup.....sorry you had to learn it the hard way....you may want to add an external harddisk or perhaps a DVD burner to your X-mas wish-list.....

If you are really desperate you may want to contact a company that can reconstruct data, the only one I know of is ibas at http://www.ibas.no (see regional links at the bottom of the page).

Link to comment
Share on other sites
Neowinian

Sux

Posted
Posted

if that doesn't work did u save ur Documents and Settings? if so there is a way to get your encyption certificate back, then import it. Look in C:\Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My\Certificates from your old user profile. There should be a file named with a bunch of letters and nubmers. To make it importable however, requires a little hex editing. With a hex editor look for the first instance of 30 82 in hex. Delete everything before it, and save the file as whatever.cer

Then right click on the file, and if the hex edit worked correctly, it should bring up a certificate window that has a button to install the certificate. There's no guarantees this will work, but it's worth a shot.

Link to comment
Share on other sites
Neowinian

Sux

Posted
Posted

Actually ignore the hex edit part. Instead do a Start|Run certmgr.msc

Click on Personal, then Certificates.

Right click on certificates, and select import.

Then browse to the file mentioned before in Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My\Certificates.

You'll have to change the drop down list to All Files to see it.

Hit next, leave it at the default Certificate store of personal.

Hit next and finish.

With any luck your old encryption certificate will then be imported and you can open the encrypted file.

Link to comment
Share on other sites
Experienced

Agent_of_Knowledge

Posted
  • Author
Posted

No, what I did was format that partition that had windows 2000 on it and I moved my important files to a differnet drive. After I formatted the partition that had this "auto encrypt" virus, I moved started moving the files back from the drive that I backed them up and it told me access is denied. The files are still green. I never any encrpytion when I backed up my data to my other drive.

Link to comment
Share on other sites
Veteran

Hawkeye

Posted
Posted

If it is absolutely urgent, you can look into a program from Elcomsoft (the same company that makes the Advanced [fill in popular password-protected file type] Password Recovery) by the name of Advanced EFS Data Recovery. It decrypts files encrypted using EFS (the way yours were).

There is a trial version on their website, but I'm not sure if its limitation would stop you from getting the results you desire. It costs $99 to register it, but it only needs to be registered once, and you'll have updates forever.

If this is important enough for you, I think this method isn't such a bad idea. It's 100% legal too. While Microsoft might whine about it and say it defeats the purpose of EFS, I'm sure most people wouldn't use this, so EFS would still serve its purpose most of the time.

Link to comment
Share on other sites
Grand Master

John Veteran

Posted
  • Veteran
Posted

you could always make 2^128 different user accounts... sooner or later, one of them is bound to have the same SID as your other account. then you could just open the files like normal ;)

:laugh: i know, i shouldn't joke about this :/

Link to comment
Share on other sites
Experienced

Agent_of_Knowledge

Posted
  • Author
Posted

So far, no results. Any other suggestions guys? Let's try not pick on me for chosing the wrong back up option. I didn't have a choice then. I can't lose these files. And yes this is very urgent. If I have to shell out money for a program that will work, I'll do it.

Thanks in Advance.

Cheers!

Link to comment
Share on other sites
Grand Master

John Veteran

Posted
  • Veteran
Posted

any kind of EFS recovery tool will need at least the SID (security ID) of the user account the files were encrypted with, and since you formatted the drive, there's virtually NO way to find the SID of your old user account. creating an account with the same name won't work; the SID is randomly generated each time an account is made.

see if you have any files backed up anywhere (that aren't encrypted) from before you formatted. if you can get some registry files (the actual registry, not .reg files), you might be able to get a list of SIDs from them and try them on the encrypted files. other than this, i see no way of you getting access to your files...

Link to comment
Share on other sites
Experienced

Agent_of_Knowledge

Posted
  • Author
Posted
any kind of EFS recovery tool will need at least the SID (security ID) of the user account the files were encrypted with, and since you formatted the drive, there's virtually NO way to find the SID of your old user account. creating an account with the same name won't work; the SID is randomly generated each time an account is made.

see if you have any files backed up anywhere (that aren't encrypted) from before you formatted. if you can get some registry files (the actual registry, not .reg files), you might be able to get a list of SIDs from them and try them on the encrypted files. other than this, i see no way of you getting access to your files...

That might work! I have some files that aren't encrypted. Some html, picture, audio and video files too! They might have the SID. But how do I go through and find out?

Thanks.

Cheers!

Link to comment
Share on other sites
Experienced

Agent_of_Knowledge

Posted
  • Author
Posted

I appreciate everyones input. I value all suggestions. I may have some results. I took a screen shot of what Advanced EFSnData Recovery

found:

results.jpg

What's circled in blue is the key that I need decrpyted. I don't know what it won't decrypt the key. But if I can just get that decryted, I can gt all my files decrypted. Please guys, I'd appreciate A little more help and suggestions. I'm so close to cracking this.......

I'll be keeping up with the posts.

Thanks in advance!

Cheers!

Link to comment
Share on other sites
Experienced

Agent_of_Knowledge

Posted
  • Author
Posted

**BUMP** Please guys, **tears up** I can't lose thos family photos, college applications, phone numbers of friends and family members, etc.. Please, some one must have a solution for this...even if there a way but not totally "legal". Please if anyone can PM me, I'd more than apperciate your help.

Thank you all.

Cheers!

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted
Convert the drive from NTFS to FAT (to remove the protection). This has saved my butt a few times.

Huh?? :blink: Um converting too FAT will not remove EFS!! And if you were converting to FAT to get access to files due to file permissions - next time you might want to just take OWNERSHIP of the directory or file, and then give whatever account you want permissions.

Much FASTER and easier than converting a whole system because you do not understand NTFS file permissons, or are too lazy to click F1 and type "file persmissons" and then doing a couple of minutes of reading.

Link to comment
Share on other sites
Grand Master

John Veteran

Posted
  • Veteran
Posted

get one of the file's properties. on the security tab, click advanced. on the owner tab, what does it say for the owner? a bit of a warning here: if you want any chance of getting your info back, don't change ANYTHING - this means click cancel whenever possible to close a window :yes:

Link to comment
Share on other sites
Community Regular

xRKx

Posted
Posted (edited)

I don't have anything to offer you (yet,) but if you're going to use EFS on your new install, make sure to BACK UP YOUR KEYS - just in case something like this happens again. I've lost EFS protected stuff before too - it sucks.

http://www.microsoft.com/technet/treeview/...nb_efs_uizt.asp

EDIT:

I've been looking to see if there /is/ any form of crack (which is doubtful, given the level of encryption used,) but... in a quote from Microsoft:

NOTE: If you do not have access to a Recovery Agent's account with a valid recovery key, you cannot recover the data. There is no workaround in EFS.
Edited by xRKx
Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.