restore virus corrupted photos

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read
Posts: 2
Joined: 23 Dec 2015, 17:07

restore virus corrupted photos

#1 Post by herrdeh »

Hello everybody,

I dear friend of mine - an artist - lost a big amount of photos due to some sort of malware.
Some day, these photos could no longer be displayed by any image viewer, such as gimp, imagemagick, eog etc, and there were text files which said that all these files were 128bit encrypted and she has to visit a certain web page to "purchase them free".
Image viewers throw a message like "Error interpreting jpg file - not a jpg file: starts with 0x4e0x1e"

Here are some samples (of course won't view in browser - must be 2saved as...): ... 04_008.jpg ... 04_009.jpg ... 04_010.jpg ... 04_011.jpg

There were backups - but the hard disk in question appeared to be broken... )-:

She asked me for help. My guess is that, that the files were not encrypted, but the jpeg header may have been altered, so image viewers can no longer interpret the image file. But hopefully the jpeg "payload" still is there...

Can photorec / testdisk do something on that problem? - A simple run recovered a lot of pictures, but not the corrupted ones, a run with deleting the corrupted ones first failed as well.

I found this link:

but couldnt get along with Hex editors under linux.

Any hints - and other ideas are highly welcome.


User avatar
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France

Re: restore virus corrupted photos

#2 Post by cgrenier »

The file is really encrypted, both header and footer are altered.If you know the exact version of the crypolocker trojan, maybe the antivirus editor have reversed the encryption and found how to decrypt them.

Posts: 2
Joined: 23 Dec 2015, 17:07

Re: restore virus corrupted photos

#3 Post by herrdeh »

Thank you so much.

I found this page:
but I feel, these files are lost forever...

Merry Christmas,