Virus has encrypted all my important files! help!

[Agent_of_Knowledge]

Perhaps you encrypted them on Windows 2000 and didn't realize until you put them on Windows XP, which displays encrypted files in green.

Whatever virus or whatever it was encrpyted the files for me and I was in 2000. So I saved them to another drive, formatted and installed xp. That's when I noticed my files were encrypted.

[Agent_of_Knowledge]

As I said before, could you not use a tool to unformat the partition?

What do you mean by, "unformat the partition"?

Cheers!

[blik]

It isnt very clear, do you have 2 hardrives or one hard drive with 2 partitions. Either way you can use some utilities to "unformat" i.e. recover the data that was previously on the partition/drive after formating. As gameguy said it is unlikely to work but its worth a try.

[PhilUK]

Hi,

After reading this thread I thought I'd share my experiences with EFS as we use it at work occasionally to protect sensitive data. When a new user is created in Windows 2000/XP, its SID is used to generate a private key. Typically this is a 128-bit CA using PGP technology (public and private keys). Even if the same username and password is created on a new installation, the SID and private key will be different. What you are looking at on the EFS recovery software is the public EFS key. Even knowing the original SID doesn't help as the private key is itself encrypted from the SID and not publicly known. To actually obtain the private key via brute-force (against the public key) would take todays PC's thousands of years.

I'm afraid your data cannot be recovered, unless the original private key can be obtained from the old installation by data recovery (which also seems unlikely as you've overwritten the data with a new installation). You might have to send your hard disk off somewhere to have it recovered professionally, however we've been quoted for this in the past and costs a lot (typically around ?500).

Sorry this isn't good news, but we've all been similar situations before and learn from our mistakes. I've also contacted McAfee (we are a corporate user at work) and they have not heard of any viruses in the wild that encrypt data using EFS, it is user triggered.

Regards,

Phil

[Agent_of_Knowledge]

It isnt very clear, do you have 2 hardrives or one hard drive with 2 partitions. Either way you can use some utilities to "unformat" i.e. recover the data that was previously on the partition/drive after formating. As gameguy said it is unlikely to work but its worth a try.

Can you name some tool that would be worth looking at please?

Thanks

Cheers!

[Agent_of_Knowledge]

Ok guys, I just want 3 or 4 of these files; the rest I can surely delete. Is there any way I can break into them and make them viewable? Like brute force them or something of that nature? Please someone must have a clue about what I'm talking about. Thanks for everyones humble help!

Cheers!

[John Veteran]

no. if you could open one, you could open the others. like philUK said, a bruteforce attack would take years to even try a small fraction of the possible keys...

[Qumahlin]

Just a FYI...

It wasn't a virus that encrypted your files...it was windows 2000.

You must of had EFS on and never known since you'd never see the files as encrypted unless you tried to access them from a separate account. Windows XP added the whole coloring them green thing.

When you deleted Win2k you destroyed your SID and any chance of making a recovery certificate. This is why the program from elcomsoft can't do anything for you.

Sorry man

[pagal]

did you try opening them with linux?

these 3-4 files that you really want, what format are they in?

i still wanna try one of these files...post any useless, not-private file from them.

[John Veteran]

i still wanna try one of these files...post any useless, not-private file from them.

you don't get it... in order for him to post one of the files, he needs to be able to read one of them. he can't read them because they're encrypted...

[+BudMan MVC]

hey gameguy - I feel your PAIN ;) I posted the fact that they are encrypted early in this thread - and still the convert to FAT, read them with linux -- Partition Magic suggestions poured in. I could tell this thread was a bust early on. Poor guy has been playing with trying to get these files back, for what a week now - dude they are GONE!!! Forget it and move on - next time don't play with something you do not understand. EFS is NOT on by default - so you must of been playing with something ;)

You know you feel for the guy that shoots himself in the foot, or the kid that burns his fingers playing with matches. One thing for sure - they learn a lesson they are not soon to forget.

[Agent_of_Knowledge]

did you try opening them with linux?

these 3-4 files that you really want, what format are they in?

i still wanna try one of these files...post any useless, not-private file from them.

They're .html and.txt files.

[Agent_of_Knowledge]

Even though I haven't fixed my problems, I very much appreciate the community's humble solutions. For now, I'm just going to keep the files on my drive; just in case anything comes up or someone finds some other way to help me out; Feel free to PM me or reply here.

THANKS GOES OUT TO THE NEOWIN COMMUNITY FOR THEIR SUPPORT!

Cheers!