Ms Office file extensions changed? Need HELP!

[NOLACop]

I come in to work today and in one network share folder, all of the MS Office files,(word, excel) file extensions have changed to .dcxmxub So the new files would be file.doc.dcxmxub I attempted to changed the extension back to .doc and I was able to, but when word attempts to open the file I get a compatibility window and once windows default is selected the file opens to misc. characters and Chinese letters. I googled this extension and got nothing.Any suggestions?

 

[carnageX]

Are you able to restore from a backup?

 

[MidnightShadow]

I come in to work today and in one network share folder, all of the MS Office files,(word, excel) file extensions have changed to .dcxmxub So the new files would be file.doc.dcxmxub I attempted to changed the extension back to .doc and I was able to, but when word attempts to open the file I get a compatibility window and once windows default is selected the file opens to misc. characters and Chinese letters. I googled this extension and got nothing.Any suggestions?

Sooo... the files are there and if you change the extension back to just .doc or .docx you get gibberish? I'm not following the compatibility window and choosing Windows default either. Can you elaborate or take a screen shot? Also, the network share folder, is that an actual computer that is sharing or is it just a NAS (network attached storage, kind of like an external hard drive) drive?

I know I asked a lot, but I want to get a good picture of what you have going on.

 

[NOLACop]

The network share folder is a folder on the domain controller. Each employee has a folder to keep documents and forms in and certain folders are available to multiple employees depending on who needs to use the documents or forms in the folder. All of the Office files in the folder now have that weird file extension. Here is a screen shot of the pop up when I try and open a file that I changed the extension back to .doc.

 

[Lexluethar]

Possibly a virus that has encrypted the file share. We had something similar happen to one of our file shares last year.

Restore from backup to see if the issue is there.

 

[carnageX]

Possibly a virus that has encrypted the file share. We had something similar happen to one of our file shares last year.

Restore from backup to see if the issue is there.

That's what I was thinking - I wonder if he got hit with a Cryptowall variant.

 

[1etherer]

The network share folder is a folder on the domain controller. Each employee has a folder to keep documents and forms in and certain folders are available to multiple employees depending on who needs to use the documents or forms in the folder. All of the Office files in the folder now have that weird file extension. Here is a screen shot of the pop up when I try and open a file that I changed the extension back to .doc.

What's worries me more is you using your DC as a file server?! If you have got the virus it could/ will spread through your whole network.. Now normally I'd remove the server from the network but in your case that means turning off your DC now... Check your DC for viruses quickly!

 

[NOLACop]

I have run Malwarebytes and nothing was found. I have one computer that has the cryptolock virus but other than that one, I've go no popups on any other machine.

 

[carnageX]

I have run Malwarebytes and nothing was found. I have one computer that has the cryptolock virus but other than that one, I've go no popups on any other machine.

You know that Cryptolocker spreads through the network to any mapped drives that the infected machine has mapped, right? It then spreads from there over the network. So yeah...your DC very well could have Cryptolocker on it (or at least files on it encrypted) since it's also apparently your file server that's shared.

Hopefully you have backups and/or Shadow Copies/Volumes enabled so you can recover the documents. Otherwise...if it's indeed CryptoLocker (and not a less-intense variant)...then you're SOL.

 

[1etherer]

Off topic, what's SOL?