Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Virus/malware has compressed my files

Apr 19, 2014 6:27AM PDT

Hey guys

I made the mistake of using a public computer in an internet cafe in Central America to backup my files from an SD card onto a USB-flash drive. After initally copying the files I could still view them on my SD card but the ones on the USB drive looked like the screenshot that I have attached.

Unfortunately I lost the SD card later on so the only thing I have left is my USB stick with some weird file. The size of it is pretty mucht the size of my photos but it's all compressed into this one file.

I've spent heaps of time googling a solution (I didn't change the name of that file btw) but have failed to come up with a solution so this is my last resort. Any help would be much appreciated!

http://i59.tinypic.com/2ajv0uq.jpg

Discussion is locked

- Collapse -
Answer
Does not look compressed.
Apr 20, 2014 1:44AM PDT

I see some oddly named file with no extension. That could be an archive or zip file without an extension but the clues are far too sparse to start offering much of any advice yet.

Is there more to this? Any use of drive security software, zip?, a name of the possible malware?
Bob

- Collapse -
PS. I see you at BleepingComputer?
Apr 20, 2014 3:47AM PDT
- Collapse -
ta
Apr 20, 2014 4:09AM PDT

Unfortunately I haven't got any more information than this, I have absolutely no idea what kind of malware/virus has caused this. It looks like my files are gone for good but thanks for the help anyway!

- Collapse -
I noted truecrypt for a reason.
Apr 20, 2014 7:22AM PDT

It might not be malware at all but truecrypt or something similar. Try this to dive into what that file is.

Copy the file to your desktop and rename it to foo.txt and open it with Notepad. In notepad turn word wrap on and let me see what you see. Many of these truecrypt folders have text in the first 1000 bytes to tell me what it is.

You can delete foo.txt after you are done.
Bob

- Collapse -
thanks for your help
Apr 20, 2014 11:44PM PDT

Hey mate

I made a copy and named it foo.txt as you said. When I turn word warp on my computer freezes. Even though Ive got 16 GB RAM and a 3.5Ghz CPU (Windows 8.1)

This is what the file looks like when word wrap is not on:

http://i58.tinypic.com/2h4arlf.png

ps. the file has 526'233 lines and 792 columns that's probably why it takes so long

- Collapse -
Re: file
Apr 21, 2014 12:30AM PDT

That certainly looks like encrypted and totally unusable if you don't know how to decrypt it.
Now back to that Internet Cafe to find the cause.

Kees

- Collapse -
Ouch. Nothing in plain view there.
Apr 21, 2014 1:09AM PDT
- Collapse -
RE
Apr 21, 2014 2:21AM PDT

Ok so in the meantime I managed to word wrap the file and this is how it looks like:

http://i60.tinypic.com/1io1ae.png

And if I drag the foo.txt into the strings file that I downloaded it just comes up with an empty cmd, is that how I run it?

- Collapse -
Rererere...
Apr 21, 2014 2:43AM PDT

OK, Technet just went down.

https://www.google.com/search?hl=en&as_q=mark+russinovich+strings

OK, how to use strings was at the site I linked to. It's a classic command line utility and from memory I open a CMD window, CD to the folder that has the foo.txt file and then

C:\wherethefilesare>strings -a foo.txt > text.txt

Remember this is basic command line skills which you've done fine so far with.
Bob

- Collapse -
err what
Apr 21, 2014 3:17AM PDT

hah sorry mate I'm not so tech savvy. So the file is called foo.txt and it's currently on my desktop

I open CMD and then enter

C:\Users\Tom\Desktop\>strings -a foo.txt > text.txt

is that correct? Because when I do that it says "blabla is not recognised as an internal or external command operable program or batch file"

I appreciate your help!

- Collapse -
Why it gave that message.
Apr 21, 2014 3:25AM PDT

strings.exe would also have to be on the desktop (folder) or in the PATH.

You've very very close to getting a file with just the strings.
Bob

- Collapse -
Doesn't work for me :/
Apr 21, 2014 3:38AM PDT

So I switched to my laptop now, this is what I'm trying to enter:

http://i58.tinypic.com/29paudh.png

I feel like a complete beginner now, can you tell me what I'm doing wrong?

ta!

- Collapse -
So close.
Apr 21, 2014 3:45AM PDT

Is strings.exe on the desktop or at C:\users\Donimic?

Use DIR STRINGS.EXE to check.
Bob

- Collapse -
both at the same location
Apr 21, 2014 3:55AM PDT

both files are on the desktop. If I use DIR STRINGS.EXE it says

"Volume in drive C has no label.
Volume Serial Number is xxxx
Directory of C:\users\Dominic

File not found"


I appreciate your time and help!

- Collapse -
Directory of C:\users\Dominic
Apr 21, 2014 4:28AM PDT

That's not the desktop.
C:\users\Dominic\desktop is the desktop.

strings.exe would have to be in C:\users\Dominic if you wanted to run it there. However I'd put it on the desktop and run it there. That way the .txt file will, if by magic show up when you succeed.
Bob

- Collapse -
rererere
Apr 21, 2014 4:46AM PDT
- Collapse -
Re: rererere
Apr 21, 2014 4:53AM PDT

You did it right this time (can I assume that you only started using a PC after Microsoft invented Windows, it's all basic DOS everybody had to know back in 1990?). And it shows that it's hopeless indeed.

A useful lesson: after copying something, check the result.

Kees

- Collapse -
..
Apr 21, 2014 4:58AM PDT

Ok so no dice ey! Thanks for the help anyway I'll not use public internet cafes again in the future or at least I won't plug anythign in there Wink

- Collapse -
Answer
http://tinypic.com/view.php?pic=13ykwh&s=8#.U1VpJ1fGc2M
Apr 21, 2014 4:55AM PDT

Looking at http://tinypic.com/view.php?pic=13ykwh&s=8#.U1VpJ1fGc2M you appear to have succeeded.

BUT!!! You were not in the desktop folder at the time so the txt file should be in C:\Windows\system32

Try the dir text.txt at the prompt?

To see the content, try NOTEPAD text.txt
Bob

- Collapse -
For me I would have CD'd to the desktop folder first.
Apr 21, 2014 4:59AM PDT

That way I would not have to type in paths to the foo.txt or to where strings.exe was.

- Collapse -
woops didnt see your last post!
Apr 21, 2014 4:59AM PDT

Ah ok found the file! This is what came back :/


Strings v2.51
Copyright (C) 1999-2013 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching files were found.

- Collapse -
OK, now you see what I'd CD to the desktop first.
Apr 21, 2014 5:04AM PDT

The .exe was fully pathed to the desktop folder but you were in Windows\system32 at the time and since foo.txt was not in Windows\system32 well, it actually did work!

CD to the desktop and it will be much easier to run strings.
Bob

- Collapse -
So it didn't find the file.
Apr 21, 2014 5:11AM PDT

That's what it tells. And that's right because you told US that you moved foo.txt to the desktop (or maybe there's a shortcut of foo.txt on the desktop) but you told THE PROGRAM to look for it c:\windows\system32.

Next thing to try:
c:\users\dominic\desktop strings -a c:\users\dominic\desktop\foo.txt>text.txt

Kees

- Collapse -
Now I'm confused
Apr 21, 2014 5:29AM PDT

haha sorry this is clearly me not used to using CMD. And yes I started using Windows when XP came out so I never worked with these comand prompts.

Ok I'm really trying here but I'm a bit lost now.

1. So I made a copy of this weird file and its on my desktop and it's called foo.txt
2. I downloaded the strings.exe that you pointed out to me and that's also on my desktop
3. the path to my desktop is "C:\Users\Dominic\Desktop"
4. I'm using Windows 8.1 and it gives me 2 command prompts (one is admin). I'm using the admin one
5. this is what I type in according to your last post:

c:\users\dominic\desktop strings -a c:\users\dominic\desktop\foo.txt>text.txt


http://i58.tinypic.com/1088u8g.png

Am I just being stupid? Happy

- Collapse -
Again, why I would CD to the desktop first.
Apr 21, 2014 5:33AM PDT

You forget one \ in a path. If you had CD'd to the desktop you could have avoided all the paths you would have to type.

Then it would have looked like
C:\users\donminac\desktop>strings foo.txt > text.txt

You're very close.
Bob

- Collapse -
..
Apr 21, 2014 5:38AM PDT

where did I forget one \ ?

is this not correct?
c:\users\dominic\desktop strings -a c:\users\dominic\desktop\foo.txt>text.txt

- Collapse -
There's a space from desktop to strings.
Apr 21, 2014 5:43AM PDT

The space tells the command interpreter that you ended there for the "command" and a space provides a deliminator so all this could have been avoided by CD'ing to the desktop folder.
Bob

- Collapse -
Sorry, my fault.
Apr 21, 2014 5:44AM PDT

c:\users\dominic\desktop\strings -a c:\users\dominic\desktop\foo.txt>text.txt

There must be a \ between desktop and strings.

Kees

- Collapse -
Why type?
Apr 21, 2014 5:37AM PDT

Copy/paste is faster and less error prone.
And yes, that's Windows, not DOS Wink . But, alas, it isn't ctrl-V in the command prompt window Sad .

Kees

- Collapse -
wow I made it :)
Apr 21, 2014 5:59AM PDT