• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Virus has encrypted all my important files! help!

Recommended Posts

Agent_of_Knowledge    0

Yesterday I had windows 2000 installed and was getting weird activity on my computer. I started norton anti-virus and ran a complete system scan. Norton found viruses, and they were all deleted. I have all my files backedup to my other partition(family pics, phone numbers of friends, music files, etc....) and ready to format my partition to install windows xp. After I installed xp, I load all the files I backed up, low and behold, most of the files were green! They some how got encrypted while I was backing them up. And now I have xp and can't access them! :angry: Please guys, I can't lose these files! There has to be a way to open them or to crack them. Anything will do. Please post any ideas ya'll might have. :(

Thank you very much.

Cheers!

Share this post


Link to post
Share on other sites
John    7

not really, unless you backed up the encryption key beforehand :no: sorry...

Share this post


Link to post
Share on other sites
Redestium    1

Ouchies...that's why you always backup to removable media as well..

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0

OMG! Heck no......There has to be a way dang it! Those are important and priceless family photos and such! "What's made by humans, is crackable by humans." If ANYONE has any idea what I can do, no matter it be legal or illegal pm please. I need to recover those files. Any Help would be appreciated! I don't have any CDRS and I had no choice the virus was spreading fast.....I'm glad I saved what I could.

Thanks in advance.

Cheers!

Share this post


Link to post
Share on other sites
GAM    0
I have all my files backedup to my other partition

A backup to a different partition is not a backup.....sorry you had to learn it the hard way....you may want to add an external harddisk or perhaps a DVD burner to your X-mas wish-list.....

If you are really desperate you may want to contact a company that can reconstruct data, the only one I know of is ibas at http://www.ibas.no (see regional links at the bottom of the page).

Share this post


Link to post
Share on other sites
Sux    0

umm u can try contacting microsoft but support would be hell meanwhile i will look around

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0

Thanks you guys so much! I'll be waiting here for any results.

Cheers!

Share this post


Link to post
Share on other sites
Sux    0

if that doesn't work did u save ur Documents and Settings? if so there is a way to get your encyption certificate back, then import it. Look in C:\Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My\Certificates from your old user profile. There should be a file named with a bunch of letters and nubmers. To make it importable however, requires a little hex editing. With a hex editor look for the first instance of 30 82 in hex. Delete everything before it, and save the file as whatever.cer

Then right click on the file, and if the hex edit worked correctly, it should bring up a certificate window that has a button to install the certificate. There's no guarantees this will work, but it's worth a shot.

Share this post


Link to post
Share on other sites
Sux    0

Actually ignore the hex edit part. Instead do a Start|Run certmgr.msc

Click on Personal, then Certificates.

Right click on certificates, and select import.

Then browse to the file mentioned before in Documents and Settings\User\Application Data\Microsoft\SystemCertificates\My\Certificates.

You'll have to change the drop down list to All Files to see it.

Hit next, leave it at the default Certificate store of personal.

Hit next and finish.

With any luck your old encryption certificate will then be imported and you can open the encrypted file.

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0

No, what I did was format that partition that had windows 2000 on it and I moved my important files to a differnet drive. After I formatted the partition that had this "auto encrypt" virus, I moved started moving the files back from the drive that I backed them up and it told me access is denied. The files are still green. I never any encrpytion when I backed up my data to my other drive.

Share this post


Link to post
Share on other sites
Hawkeye    0

If it is absolutely urgent, you can look into a program from Elcomsoft (the same company that makes the Advanced [fill in popular password-protected file type] Password Recovery) by the name of Advanced EFS Data Recovery. It decrypts files encrypted using EFS (the way yours were).

There is a trial version on their website, but I'm not sure if its limitation would stop you from getting the results you desire. It costs $99 to register it, but it only needs to be registered once, and you'll have updates forever.

If this is important enough for you, I think this method isn't such a bad idea. It's 100% legal too. While Microsoft might whine about it and say it defeats the purpose of EFS, I'm sure most people wouldn't use this, so EFS would still serve its purpose most of the time.

Share this post


Link to post
Share on other sites
John    7

you could always make 2^128 different user accounts... sooner or later, one of them is bound to have the same SID as your other account. then you could just open the files like normal ;)

:laugh: i know, i shouldn't joke about this :/

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0

So far, no results. Any other suggestions guys? Let's try not pick on me for chosing the wrong back up option. I didn't have a choice then. I can't lose these files. And yes this is very urgent. If I have to shell out money for a program that will work, I'll do it.

Thanks in Advance.

Cheers!

Share this post


Link to post
Share on other sites
John    7

any kind of EFS recovery tool will need at least the SID (security ID) of the user account the files were encrypted with, and since you formatted the drive, there's virtually NO way to find the SID of your old user account. creating an account with the same name won't work; the SID is randomly generated each time an account is made.

see if you have any files backed up anywhere (that aren't encrypted) from before you formatted. if you can get some registry files (the actual registry, not .reg files), you might be able to get a list of SIDs from them and try them on the encrypted files. other than this, i see no way of you getting access to your files...

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0
any kind of EFS recovery tool will need at least the SID (security ID) of the user account the files were encrypted with, and since you formatted the drive, there's virtually NO way to find the SID of your old user account. creating an account with the same name won't work; the SID is randomly generated each time an account is made.

see if you have any files backed up anywhere (that aren't encrypted) from before you formatted. if you can get some registry files (the actual registry, not .reg files), you might be able to get a list of SIDs from them and try them on the encrypted files. other than this, i see no way of you getting access to your files...

That might work! I have some files that aren't encrypted. Some html, picture, audio and video files too! They might have the SID. But how do I go through and find out?

Thanks.

Cheers!

Share this post


Link to post
Share on other sites
John    7

the only thing i can think of that MIGHT work is if you can somehow get the SID of the owner of those files... but again, i don't know how you'd do this...

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0

I appreciate everyones input. I value all suggestions. I may have some results. I took a screen shot of what Advanced EFSnData Recovery

found:

results.jpg

What's circled in blue is the key that I need decrpyted. I don't know what it won't decrypt the key. But if I can just get that decryted, I can gt all my files decrypted. Please guys, I'd appreciate A little more help and suggestions. I'm so close to cracking this.......

I'll be keeping up with the posts.

Thanks in advance!

Cheers!

Share this post


Link to post
Share on other sites
Agent_of_Knowledge    0

**BUMP** Please guys, **tears up** I can't lose thos family photos, college applications, phone numbers of friends and family members, etc.. Please, some one must have a solution for this...even if there a way but not totally "legal". Please if anyone can PM me, I'd more than apperciate your help.

Thank you all.

Cheers!

Share this post


Link to post
Share on other sites
cnboi    0

im so sorry 2hear that. :no:

Share this post


Link to post
Share on other sites
eXplosive    0

Convert the drive from NTFS to FAT (to remove the protection). This has saved my butt a few times.

Share this post


Link to post
Share on other sites
+BudMan    3,544
Convert the drive from NTFS to FAT (to remove the protection). This has saved my butt a few times.

Huh?? :blink: Um converting too FAT will not remove EFS!! And if you were converting to FAT to get access to files due to file permissions - next time you might want to just take OWNERSHIP of the directory or file, and then give whatever account you want permissions.

Much FASTER and easier than converting a whole system because you do not understand NTFS file permissons, or are too lazy to click F1 and type "file persmissons" and then doing a couple of minutes of reading.

Share this post


Link to post
Share on other sites
eXplosive    0

Why are you spelling out my whole scenario when you don't even know what happen?

I'm trying to help; if I am wrong then I'm wrong.

Share this post


Link to post
Share on other sites
John    7

get one of the file's properties. on the security tab, click advanced. on the owner tab, what does it say for the owner? a bit of a warning here: if you want any chance of getting your info back, don't change ANYTHING - this means click cancel whenever possible to close a window :yes:

Share this post


Link to post
Share on other sites
xRKx    0

I don't have anything to offer you (yet,) but if you're going to use EFS on your new install, make sure to BACK UP YOUR KEYS - just in case something like this happens again. I've lost EFS protected stuff before too - it sucks.

http://www.microsoft.com/technet/treeview/...nb_efs_uizt.asp

EDIT:

I've been looking to see if there /is/ any form of crack (which is doubtful, given the level of encryption used,) but... in a quote from Microsoft:

NOTE: If you do not have access to a Recovery Agent's account with a valid recovery key, you cannot recover the data. There is no workaround in EFS.
Edited by xRKx

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.