Virus/malware has compressed my files

Unfortunately I haven't got any more information than this, I have absolutely no idea what kind of malware/virus has caused this. It looks like my files are gone for good but thanks for the help anyway!

It might not be malware at all but truecrypt or something similar. Try this to dive into what that file is.

Copy the file to your desktop and rename it to foo.txt and open it with Notepad. In notepad turn word wrap on and let me see what you see. Many of these truecrypt folders have text in the first 1000 bytes to tell me what it is.

You can delete foo.txt after you are done.
Bob

Hey mate

I made a copy and named it foo.txt as you said. When I turn word warp on my computer freezes. Even though Ive got 16 GB RAM and a 3.5Ghz CPU (Windows 8.1)

This is what the file looks like when word wrap is not on:

http://i58.tinypic.com/2h4arlf.png

ps. the file has 526'233 lines and 792 columns that's probably why it takes so long

That certainly looks like encrypted and totally unusable if you don't know how to decrypt it.
Now back to that Internet Cafe to find the cause.

Kees

Ok so in the meantime I managed to word wrap the file and this is how it looks like:

http://i60.tinypic.com/1io1ae.png

And if I drag the foo.txt into the strings file that I downloaded it just comes up with an empty cmd, is that how I run it?

OK, Technet just went down.

https://www.google.com/search?hl=en&as_q=mark+russinovich+strings

OK, how to use strings was at the site I linked to. It's a classic command line utility and from memory I open a CMD window, CD to the folder that has the foo.txt file and then

C:\wherethefilesare>strings -a foo.txt > text.txt

Remember this is basic command line skills which you've done fine so far with.
Bob

hah sorry mate I'm not so tech savvy. So the file is called foo.txt and it's currently on my desktop

I open CMD and then enter

C:\Users\Tom\Desktop\>strings -a foo.txt > text.txt

is that correct? Because when I do that it says "blabla is not recognised as an internal or external command operable program or batch file"

I appreciate your help!

strings.exe would also have to be on the desktop (folder) or in the PATH.

You've very very close to getting a file with just the strings.
Bob

So I switched to my laptop now, this is what I'm trying to enter:

http://i58.tinypic.com/29paudh.png

I feel like a complete beginner now, can you tell me what I'm doing wrong?

ta!

Is strings.exe on the desktop or at C:\users\Donimic?

Use DIR STRINGS.EXE to check.
Bob

both files are on the desktop. If I use DIR STRINGS.EXE it says

"Volume in drive C has no label.
Volume Serial Number is xxxx
Directory of C:\users\Dominic

File not found"


I appreciate your time and help!

That's not the desktop.
C:\users\Dominic\desktop is the desktop.

strings.exe would have to be in C:\users\Dominic if you wanted to run it there. However I'd put it on the desktop and run it there. That way the .txt file will, if by magic show up when you succeed.
Bob

wow sorry man I feel like a complete idiot now.

So I did exactly what you told me but nothing happens:

http://i58.tinypic.com/13ykwh.png

You did it right this time (can I assume that you only started using a PC after Microsoft invented Windows, it's all basic DOS everybody had to know back in 1990?). And it shows that it's hopeless indeed.

A useful lesson: after copying something, check the result.

Kees

Ok so no dice ey! Thanks for the help anyway I'll not use public internet cafes again in the future or at least I won't plug anythign in there

That way I would not have to type in paths to the foo.txt or to where strings.exe was.

Ah ok found the file! This is what came back :/


Strings v2.51
Copyright (C) 1999-2013 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching files were found.

The .exe was fully pathed to the desktop folder but you were in Windows\system32 at the time and since foo.txt was not in Windows\system32 well, it actually did work!

CD to the desktop and it will be much easier to run strings.
Bob

That's what it tells. And that's right because you told US that you moved foo.txt to the desktop (or maybe there's a shortcut of foo.txt on the desktop) but you told THE PROGRAM to look for it c:\windows\system32.

Next thing to try:
c:\users\dominic\desktop strings -a c:\users\dominic\desktop\foo.txt>text.txt

Kees

haha sorry this is clearly me not used to using CMD. And yes I started using Windows when XP came out so I never worked with these comand prompts.

Ok I'm really trying here but I'm a bit lost now.

1. So I made a copy of this weird file and its on my desktop and it's called foo.txt
2. I downloaded the strings.exe that you pointed out to me and that's also on my desktop
3. the path to my desktop is "C:\Users\Dominic\Desktop"
4. I'm using Windows 8.1 and it gives me 2 command prompts (one is admin). I'm using the admin one
5. this is what I type in according to your last post:

c:\users\dominic\desktop strings -a c:\users\dominic\desktop\foo.txt>text.txt


http://i58.tinypic.com/1088u8g.png

Am I just being stupid?

You forget one \ in a path. If you had CD'd to the desktop you could have avoided all the paths you would have to type.

Then it would have looked like
C:\users\donminac\desktop>strings foo.txt > text.txt

You're very close.
Bob

where did I forget one \ ?

is this not correct?
c:\users\dominic\desktop strings -a c:\users\dominic\desktop\foo.txt>text.txt

The space tells the command interpreter that you ended there for the "command" and a space provides a deliminator so all this could have been avoided by CD'ing to the desktop folder.
Bob

c:\users\dominic\desktop\strings -a c:\users\dominic\desktop\foo.txt>text.txt

There must be a \ between desktop and strings.

Kees

Copy/paste is faster and less error prone.
And yes, that's Windows, not DOS . But, alas, it isn't ctrl-V in the command prompt window .

Kees

woo finally:

This is what came back:
http://i60.tinypic.com/egqxyh.png

text.txt is about a 1/4 of the size of the previous file and it's a lot of empty lines underneath what you see in that screenshot and then further down it looks like this:

http://i59.tinypic.com/6st8uv.png


Does that tell you anything?