Help with encrypted files....

C

Christopher

Hey guys,

I just got a job at this company, and I replaced thier other network
admin -who they say was kind of a jerk. Anyway, I tried using his
machine for a while as it was, but it had so much malware/spyware that
it was barely usable and I had to reinstall WinXP Pro.

So, after I installed, a group of files seem to have been encrypted
and now I can't read them. I just get stuff like this (pasted from a
..txt file)....

Y÷®†/£yÓÖ,îÁ>"õ1©M`>#Ôþ6¶n–qm¾BJ
«}l–@b°~dÙ
¤E{Ip²`sêºÙ†\ ~œ†'WÕ£üa„ž"~2,ŒšÔ!üdº<aáE¾/Ï'=Ñ$þ8-ßbüj²‚…ÇÑ©÷²X†²‚Œ%Âm4"Ã.ƒy†ô³6€ÊÅQÔêÄ'W
<nÄ·?¥&Jníû+ÞÛ&ïãkøßù»ù:)$ÜýïëŽÆn§±³˜{®¿ÝåÞþ4îÿBPLÒ=ý(Bs´ ¾Š)8x
Ö åó²Á'W!ãínÔ#TQfX.]ñoãøvìÛä_ɤ8îïå9f³Y§«í‡åîî_`B^D€ eŽÈ)àÐü©s"Ádñ´¥~.føÍ'W"É¿
4>ÄÁ©¤‚ÕÉ™½;¸œÐÅd"…wßïåäÿ䋧eª˜žìoï¾íòTSöáO
þ"$#𹡷€§87–

The files, APPEAR normal, until I try to open them. The Encryption
checkbox isn't checked in the Right-click file ---> Properties --->
Advanced ---> Encrypt contents to secure data.

I logged on to the computer as the EFS Recovery Agent (Administrator)
but still the files don't seem to be encrypted.

I tried using the "cipher" command --- still nothing.

After thinking it over, it's clear that the files aren't encrypted
with Windows EFS, because I can remember logging on to this computer
before I did the re-install and I could read whichever files I wanted.

Anyway, I'm writing this with the hope that someone out there can help
me figure out what happened. I would be happy to provide whatever
other information is necessary, and ANY leads you can give me would be
great. Data recovery would be nice, but is almost irrelevant at this
point - what is important to me is that I understand what happened.

Thanks! Write me at neomage23 AT hotmail.com if you need to get in
touch.

Neo
 
R

Roger Abell

The files may have need encrypted with some third-party
encryption application.

Also, if an EFS file looses the bit in its header info that
indicates it is an EFS file, then you will not get the access
denied (or decryption) on access, but will get junk instead.

Loosing this bit can happen with some third-party partition
resizing and bulk copy tools.
Without this bit set, cipher.exe will not recognize the file
as EFS encrypted, and so you will not be able to get info
about the thumbprint of the file.

That you logged in before the reinstall and did not notice
inaccessible/junk files only indicates that either 1) you did
not try accessing one of the afflicted files, or, 2) you were
logged in with an account allowed transparent decryption
(or possibly that something detected the login and took some
predefined steps resulting in the scrambled/encrypted files,
all subsequent to your successful login and file viewing).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Christopher said:
Hey guys,

I just got a job at this company, and I replaced thier other network
admin -who they say was kind of a jerk. Anyway, I tried using his
machine for a while as it was, but it had so much malware/spyware that
it was barely usable and I had to reinstall WinXP Pro.

So, after I installed, a group of files seem to have been encrypted
and now I can't read them. I just get stuff like this (pasted from a
.txt file)....

Y÷®?/£yÓÖ,îÁ>"õ1©M`>#Ôþ6¶n-qm¾BJ
«}l-@b°~dÙ
¤E{Ip²`sêºÙ?\ ~o?'WÕ£üa"z"~2,OsÔ!üdº<aáE¾/Ï'=Ñ$þ8-ßbüj²,.ÇÑ©÷²X?²,O%Âm4"Ã.fy?ô³
6?ÊÅQÔêÄ'W
<nÄ·?¥&Jníû+ÞÛ&ïãkøßù»ù:)$ÜýïëZÆn§±³~{®¿ÝåÞþ4îÿBPLÒ=ý(Bs´ ¾S)8x
Ö åó²Á'W!ãínÔ#TQfX.]ñoãøvìÛä_ɤ8îïå9f³Y§«í?åîî_`B^D? eZÈ)àÐü©s"Ádñ´¥~.føÍ'W"É¿
4>ÄÁ©¤,ÕÉT½;¸oÐÅd".wßïåäÿä<§eª~zìoï¾íòTSöáO
þ"$#𹡷?§87-

The files, APPEAR normal, until I try to open them. The Encryption
checkbox isn't checked in the Right-click file ---> Properties --->
Advanced ---> Encrypt contents to secure data.

I logged on to the computer as the EFS Recovery Agent (Administrator)
but still the files don't seem to be encrypted.

I tried using the "cipher" command --- still nothing.

After thinking it over, it's clear that the files aren't encrypted
with Windows EFS, because I can remember logging on to this computer
before I did the re-install and I could read whichever files I wanted.

Anyway, I'm writing this with the hope that someone out there can help
me figure out what happened. I would be happy to provide whatever
other information is necessary, and ANY leads you can give me would be
great. Data recovery would be nice, but is almost irrelevant at this
point - what is important to me is that I understand what happened.

Thanks! Write me at neomage23 AT hotmail.com if you need to get in
touch.

Neo
Click to expand...
 
V

Vladimir Katalov

Christopher said:
I just got a job at this company, and I replaced thier other network
admin -who they say was kind of a jerk. Anyway, I tried using his
machine for a while as it was, but it had so much malware/spyware that
it was barely usable and I had to reinstall WinXP Pro.

So, after I installed, a group of files seem to have been encrypted
and now I can't read them. I just get stuff like this (pasted from a
.txt file)....

[...]
After thinking it over, it's clear that the files aren't encrypted
with Windows EFS, because I can remember logging on to this computer
before I did the re-install and I could read whichever files I wanted.
Click to expand...

May be the files *were* encrypted on WinXP SP1, but you've installed
WinXP without SP1 now? Here is a related article:

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/?kbid=329741

--
Sincerely yours,
Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:[email protected]
http://www.elcomsoft.com
 
R

Roger Abell

Yes, there are different encryptions used in XP gold vs SP 1, good
point, but OP has said that the files are not even see as EFS encrypted
so the bit has been lost (if it was EFS in the first place).

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Vladimir Katalov said:
Christopher said:
I just got a job at this company, and I replaced thier other network
admin -who they say was kind of a jerk. Anyway, I tried using his
machine for a while as it was, but it had so much malware/spyware that
it was barely usable and I had to reinstall WinXP Pro.

So, after I installed, a group of files seem to have been encrypted
and now I can't read them. I just get stuff like this (pasted from a
.txt file)....

[...]
After thinking it over, it's clear that the files aren't encrypted
with Windows EFS, because I can remember logging on to this computer
before I did the re-install and I could read whichever files I wanted.
Click to expand...

May be the files *were* encrypted on WinXP SP1, but you've installed
WinXP without SP1 now? Here is a related article:

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/?kbid=329741

--
Sincerely yours,
Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:[email protected]
http://www.elcomsoft.com
Click to expand...
 
Top