Debate, and discuss, just dont Bore me.
And Shadow Explorer
Published on June 14, 2014 By Dr Guy In Personal Computing

I recently was blessed with a user who was fooled by an email about a package and tracking.  The email of course had nothing to do with a shipping company, but contained Cryptowall, a variant of the Cryptodefender trojan.  And it was methodical.  After basically locking them out of all their databases for a day while it did its business, it popped up the obligatory message about all the files being encrypted with an RSA 2048 key, and if you did not give them $500 in bitcoins (that one was new to me, but I guess they are untraceable), you would never see your files again.

Needless to say the lady was panic stricken.  And I was ashen.  It got her computer and every shared drive on the network.  That was years worth of stuff.  She called me about 5:30 on a Thursday, and I told her to stop everything and I would start looking at it that night (thank god for Teamviewer).

It was that bad.  Every picture, word document, text file, spreadsheet, etc.  EVERYTHING.  As I said, it was methodical.

So I took a day off work, explaining to my boss what had happened, and headed over to the Church.  I had turned off the shares so that on the odd chance the trojan had left some infecting mechanism on them, none of the other 10 computers would be infected.  And started running Malwarebytes and Eset Online Scanner on every computer in safe mode (with networking).  All the other 10 computers came up clean (well, they did not have Cryptowall, but they did have other less fatal bugs).  But neither Eset nor Malwarebytes would run to conclusion on the "Trojan Prime" computer, so I worked on it over night.  I managed to get it to run to conclusion (and hence how I found it was a phony shipping company email) by limiting what it scanned for successive scans until I was able to run a complete scan.

The Trojan was gone.  But what to do about the data?  Fortunately I had set up a backup program.  A simple affair that backed up the data to a jump drive, full on Friday and then incremental the rest of the week.  Each Friday, someone was supposed to take the drive off site (home with them) and put the second drive in.  I do not know if that had been happening, but at least the backup was still running!  SO I was able to restore the data on the server to the night before the infection. 

But what about "Trojan Prime"?  I could see no way around it.  Her files looked like toast.  But I downloaded and ran recuva, hoping to find some deleted files that had escaped encryption and restore them.  What I found surprised me (ok, so I am not keeping up with what Microsoft is doing).  Microsoft had ported Shadow Copy to Windows Vista (and beyond)!  I was familiar with it as I have worked with Windows 2003, but how to get to the shadow copies without doing a complete restore?

Bing (or Google - YMMV) is your friend.  Yep, I asked Bing and it told me about "Shadow Explorer".  Freeware.  So I downloaded it and gave it a shot.

And it recovered EVERYTHING (of course you do have to have System Restore turned on).  Nice little utility that I have added to my Batcomputer Utility belt!  It saved that Church's files, and is great!  I know many do not like System Restore (I have yet to have good experience with it doing anything for the "system"), but with Windows Vista and beyond, it has a nice side job that can be a real life saver.  With Shadow Explorer!


Comments (Page 1)
2 Pages1 2 
on Jun 14, 2014

That's insane! Five hundred bucks would put me in a hole impossible to crawl out of. Fortunately I have nothing worth stealing. Good thing you're on top of it. 

on Jun 14, 2014

but contained Cryptowall, a variant of the Cryptodefender trojan

Yep...not the only one: http://drjbhl.joeuser.com/article/453357/New_virus_CryptoDefender_is_worse_than_CryptoLocker_UPDATE

What I found surprised me (ok, so I am not keeping up with what Microsoft is doing).  Microsoft had ported Shadow Copy to Windows Vista (and beyond)! 

So glad Cryptowall didn't encode the shadow copy MS makes. You'd best enlarge the size of your allowable shadow storage or if reinfection occurs, you might not be able to recover the newer data. 

 

on Jun 14, 2014

Thanks for the alert Dr. Shared on SM.

on Jun 14, 2014

I've had a few 'shipping notices' lately....but been binning them and adding each sender to blocked/spam list...

on Jun 14, 2014

bgartlover

Thanks for the alert Dr. Shared on SM.

Sorry for my ignorance, bgartlover...but what's SM? Skype Messenger?

on Jun 17, 2014


I've had a few 'shipping notices' lately....but been binning them and adding each sender to blocked/spam list...

I had a couple also... and responded the same way.  Anything like that is binned immediately, especially if I'm not expecting it or do not recognise the sender.  Even when I am expecting a delivery from an online purchase, I go directly to the shipping company's website and I'll type in my ticket number manually to avoid such issues..  Fortunately, the companies I do business with use either Australia Post or Couriers Please [which I have bookmarked for my convenience] so I'm not hunting all over the net for shipping advice, etc.

on Jun 18, 2014

Fortunately I have nothing worth stealing.

You would be surprised what you can amass in data.  it really is a good idea to use cloud storage for at least your old tax returns,  emails, pictures, etc. 

on Jun 18, 2014

DrJBHL
You'd best enlarge the size of your allowable shadow storage or if reinfection occurs, you might not be able to recover the newer data.

That is what I am doing.  With hard drive sizes being ridiculously large, only people storing high def video need even a fraction of it.

 

Sorry I missed your early column.  Or maybe not.  I might have despaired if I had read that first!

on Jun 18, 2014

I've had a few 'shipping notices' lately

I have been getting a lot of court notices (not too many shipping ones).  I guess it is the area you live in which tact they try.

 

But I know (since my wife is in the profession) that no court in the land is going to send you a notice in email!

on Jun 18, 2014

DrJBHL
Sorry for my ignorance, bgartlover...but what's SM? Skype Messenger?

I am with the Doc.  I am unfamiliar with the abbreviation.

on Jun 18, 2014

starkers
Even when I am expecting a delivery from an online purchase, I go directly to the shipping company's website

 

So do I - even when I know it is (or think it is) legitimate.  The website is going to be more up to date in any event.

on Jun 18, 2014

Dr Guy


Quoting Uvah, reply 1 Fortunately I have nothing worth stealing.

You would be surprised what you can amass in data.  it really is a good idea to use cloud storage for at least your old tax returns,  emails, pictures, etc. 

Dr Guy I hope you're joking.

NEVER put personal data especially with you Social Security number, taxes. etc. in the Cloud! Put it on an external drive with redundancy.

 

on Jun 18, 2014

DrJBHL
NEVER put personal data especially with you Social Security number, taxes. etc. in the Cloud! Put it on an external drive with redundancy.

Actually, I do have faith in the encryption of services like Mozy and Carbonite.  But no, I have not ventured there yet.  I do use an external drive, encrypted.

Besides, the NSA already has all my data.

on Jun 20, 2014

Did you hear the one about the cheap phone from China, preinstalled with spyware? Read about it the other day.

on Jun 20, 2014

Did you hear the one about the cheap phone from China, preinstalled with spyware? Read about it the other day.

Same here.... read it on Yahoo7, the cheeky bastards.

I've seen quite a few cheap phones from China but I've never been tempted to go for one, not even as a cheap second/backup phone.  When it comes to things like that, I prefer to stick with brand names and tech I know, and to date I haven't recognised one single brand name of those Chinese phones I've seen advertised.

2 Pages1 2