Monday, August 17, 2015

Profiles in PC Poisoning, Part 4

Before we get rolling, I have an addition to make to the Undamaged section of the previous post: somewhat surprisingly, CTB-Locker didn't encrypt any of the 1,850 .gif images on my father's computer - my guess is they weren't targeted because most (>95%) of them lie outside the C:\Documents and Settings\ directory.

So, what are we going to do about those,, and .xyz files? Is there any chance of recovering the original .wps, .jpg, and .pdf data in the My Documents\ folder?

A ctb-locker decrypt Google search brings up a number of pages that dole out advice for dealing with the aftermath of a CTB-Locker infection, and there is general agreement that restoring files from an external backup is the optimal response thereto. In the words of the Kaspersky guys themselves:
The best line of defense against this and other threats is to have backed up your machine yesterday (and to back it up again next week).
However, my father has never copied his My Documents\ data to an external medium of any type even though blank CD-Rs are cheap - you can buy a 50-disk spindle of 'em at Walmart for $10 - and copying stuff to a CD with his system is as easy as one, two, ... twelve.

Burnin' for you

A copy files to a cd windows xp Google search returns about a page's worth of pages with instructions for burning files and folders to a CD on a Windows XP machine. Because none of these pages quite describes what I do and what happens when I burn a CD on my father's computer, I thought I would give you my own little procedure in this regard.

(1) I begin by inserting a blank CD into the slot-loading CD-RW (F:) drive, which is the lower of the two optical drives held by the PC tower. (Above the F: drive is an E: drive for DVDs.)

(2) Up pops a CD Drive (F:) window that contains a menu of Windows actions for the CD.

The copy files to a cd windows xp search pages say that you should click on the Open writable CD folder using Windows Explorer option although I find that the Take no action option is also serviceable. I don't know anything about the Nero Express and Nero StartSmart programs: whatever they are, they're not necessary.

(3) Via the My Computer icon or the My Documents icon on the desktop, I navigate to the file or folder that I want to write to the CD and select it (click on it once). Holding down the Shift key allows me to select a range of consecutive items in the same directory; holding down the Ctrl key allows me to select nonconsecutive items in the same directory.

(4) I go to the Edit menu and choose the Copy To Folder... command.

(5) A Copy Items window containing a menu of places to copy the item(s) pops up.

I select the CD Drive (F:) option and then click the button at the bottom of the window.

(6) Depending on how much stuff I am copying, I may at this point see a Copying... window that displays an animation of the to-be-copied item(s) moving from folder to folder along a parabolic path.

(7) A tooltip-like speech balloon pops up in the lower-right-hand corner of the screen. The balloon points to a little CD icon in the taskbar and bears a message that reads:

You have files waiting to be written to the CD.
To see the files now, click this balloon.

(8) Clicking the balloon (vs. the icon it's pointing to) displays another CD Drive (F:) window.

Below the window's Standard Buttons toolbar
(a) a Files Ready to Be Written to the CD right pane lists the item(s) to be copied and
(b) a Write these files to CD command appears in a CD Writing Tasks menu in the left pane.

(9) Selecting the right-pane item(s) and clicking the Write these files to CD command launches the Windows CD Writing Wizard.

(10) By default, the CD name is set to the current date in a 3-letter-month-abbr DD YYYY format: you may fill in a different name if this is not to your liking.

(11) Clicking the button starts the burning process.

(12) When the burning is finished, the CD is ejected and a separate window announcing You have successfully written your files to the CD pops up.

Click the button and that's all she wrote.

One more point about screenshots

By default, Paint saves a screenshot as a (24-bit) .bmp image, which is uncompressed and therefore has a much larger memory footprint than, say, a .png image: you can and should save a screenshot as the latter via the Save as type: menu at the bottom of the Save As window.

Dark shadows

In the absence of an external backup, the ctb-locker decrypt search pages suggest two other courses of action for retrieving files encrypted by CTB-Locker:

(1) See if Windows' Volume Shadow Copy Service (VSS) has saved previous versions of the files.
Solution 3: Use the Volume Shadow Copy​
In case you didn't know, the operating system creates so-called volume shadow copies of each file if the Windows System Restore is enabled on the computer. In this way the restore points are created at specified intervals, with snapshots of the files as they appear at the moment that are generated at the same time. This method does not guarantee the recovery of the latest versions of the files but is certainly appropriate to carry out a test anyway.
- "Some ideas to restore files encrypted by CTB Locker"
The Volume Shadow Copy Service was first implemented in Windows XP but the volume snapshots it creates with Windows XP are only temporary; persistent snapshots began with the Vista version of Windows. Undeterred - and seeing a vssvc.exe executable in the C:\WINDOWS\system32\ directory - I launched the Windows Command Prompt (Start → Programs → Accessories → Command Prompt) and ran vssadmin list shadows on the command line: No shadow copies present in the system. So much for that idea.

(2) See if the original files can be recovered via a file recovery tool -
we'll get into this next time.

No comments:

Post a Comment