Category Archives: Microsoft Windows

Dealing With CryptoLocker

Cryptolocker (and its variants) suck! The virus typically strikes one persons machine, and once infected, that PC will crawl local drives, mapped drive, folder after folder, file after file, encrypting them with a 256 bit, thus taking your data hostage.

The best methods of protection I’ve found are:

  • Don’t open or run any email attachments that come from someone you do not know, or appear suspicious. ie. you will never receive an email from Fedex or UPS that has a .ZIP file attachment with information about your shipment! Don’t open it, don’t touch it, delete it!
  • Make sure your servers have a working and tested backup solution in place. Make sure this backup solution is setup to send alerts on failures should a backup problem arise! Nothing worse than the backup software experiencing a failure, and you’re not alerted to it until you look at it during an emergency.
  • Make sure Shadow Copies are enabled on your critical server data volumes. You can right click on the data drive letter, select Properties, Previous Versions to turn on various snapshots to be taken throughout the day. I recommend one at 6am and another at 12pm. Usually those aren’t super huge usage times.

Isolating the virus:

  • You will likely hear about this from a user who calls saying they can’t open their Word or Excel documents, or that they look scrambled. This is due to the virus having encrypted those files.
  • First thing to do is log into the server, and change all of it’s shares to ‘Read Permission’ only under sharing permissions.
  • The virus typically leaves 3 files behind in every directory that it has crawled, HELP_DECRYPT.TXT, .JPG and .HTML. Look at the properties of these files to try and determine the ‘Owner’. Depending on the variant, the ‘Owner’ alot of the time is the source of the infection.
  • The source infected machine should be the only one who has encrypted files on its own C:\. The desktop, local My Documents, or contents on the C:\ are the best sign. If you can find this PC, disconnect it from the network immediately.

Options for recovery:

  • Depending on how quickly you’ve caught the virus determines how many folders you’re going to need to restore. Many times, using ShadowCopies to restore folders to an earlier point in time is better, more convenient and a less dataloss option than going to last night’s backup.
  • Should the server be the source of the infection, you will likely be doing a full, bare-metal restore of the entire server back to the previous full backup.
  • Once files are rolled back, you will need to clean up the remaining HELP_DECRYPT.xxx files. The easiest way to do this is to:
    • Open Admin CMD Prompt
    • Navigate to the root drive affected: cd c:\
    • Issue the delete command for all files with that title: DEL /S HELP_DECRYPT.*
    • Let it crawl the directories and remove all instances found

Logging Persistant Pings With Timestamps

This can be helpful if you want to run a persistent ping to a host, and log the results to a file to be reviewed later. There are two methods:

LOG ONLY PING FAILURES – This method will log only the failures or timed-out ping requests and their times. Cut and paste the below script into a txt doc. Save the text document as ping.vbs on the root of C:\. Open a CMD prompt, cd to the root of C and type: cscript ping.vbs x.x.x.x pinglog.txt

hostIp      = wscript.arguments(0)
logfilename = wscript.arguments(1)
Set fso     = CreateObject("Scripting.FileSystemObject")
Set Shell   = CreateObject("Wscript.Shell")
' OpenTextFile Method requires a Const value
' (Over)Write = 2  Append = 8   
Set logfile = fso.OpenTextFile(logfilename, 8, True)
shellstring = "%comspec% /c ping -t " & hostIP
Set oExec   = Shell.Exec(shellstring)
wscript.echo "Ping Error log With Timestamp - Ctrl + C to halt"
Do While oExec.StdOut.AtEndOfStream <> True
      pingline = Date & " " & Time & " " & oExec.StdOut.ReadLine
      If InStr(pingline, "TTL=") = 0 Then
         logfile.WriteLine(pingline)
      End If
Loop

LOG PING SUCCESS AND FAILURES– This method will produce an enormous log if left running over an extending period of time. Instead of capturing times of failures only, this will log each successful ping also. Cut and paste the below script into a txt doc. Save the text document as ping.vbs on the root of C:\. Open a CMD prompt, cd to the root of C and type: cscript ping.vbs x.x.x.x pinglog.txt

hostIp      = wscript.arguments(0)
logfilename = wscript.arguments(1)
Set fso     = CreateObject("Scripting.FileSystemObject")
Set Shell   = CreateObject("Wscript.Shell")
' OpenTextFile Method requires a Const value
' (Over)Write = 2  Append = 8   
Set logfile = fso.OpenTextFile(logfilename, 8, True)
shellstring = "%comspec% /c ping -t " & hostIP
Set oExec   = Shell.Exec(shellstring)
wscript.echo "Ping Error log With Timestamp - Ctrl + C to halt"
Do While oExec.StdOut.AtEndOfStream <> True
      pingline = Date & " " & Time & " " & oExec.StdOut.ReadLine
      If InStr(pingline, "TTL=") - 128 Then
         logfile.WriteLine(pingline)
      End If
Loop

Empty Recycling Bins For All Users

Many times on a Windows Server or PC you will have had multiple users log in at some point in time, and each user account has it’s own Recycling Bin. When getting cramped for free space, it can be handy to empty all Recycling Bin’s at one time, so you do have to, or can’t log into the other accounts:

Windows7, Server2008/R2, Server2012/R2

rd /s c:\$Recycle.Bin


WindowsXP, Vista, Server2003/R2

rd /s c:\recycler