-
WSTinto Tech
AskWoody LoungerNovember 5, 2013 at 12:16 pm in reply to: Network/Internet connectivity and System Create/Restore from System image #1421367The cloned machine has inherited the MAC address of the original NIC. You can check this by ipconfig /all or by looking at the event logs.
Your router will attempt to route packets by MAC address not IP address, so when it sees two devices with the same MAC address it cannot route correctly.
Change the MAC address of the clone and update the routing table in the router and it should be OK.
-
WSTinto Tech
AskWoody LoungerA quick lookup shows click.linksynergy operates from an Apache webserver:
MagicSpeller: do you have Bot Revolt on the machine?
You have a tab open in Firefox that shows “Bolt Revo…”, which could be Bolt Revolt – an antimalware offering that I’ve not come across before.
It’s a bit of a leap in the dark, but could that application be part of the issue – redirecting what it considers to be a bad site (the clik.linksynergy advert) to 127.0.0.1, which happens to be the local IIS webserver…which would map to c:inetpubwwroot as suggested above?
-
WSTinto Tech
AskWoody LoungerOctober 30, 2013 at 5:16 pm in reply to: Possible causes of read/write errors on one network workstation (only) #1420094A few things to think about:
Assuming this is a Server-Client network running Active Directory etc, and the users have roaming profiles set to point to the server….
Can the affected user log into a different machine and do they suffer the same corruptions then or are they able to run the database application OK?
Does a “clean” user experience problems if the log into the “bad” machine?
In other words does the error follow the user or is it unique to the host? If the host think about the database application (maybe Office, or some other?) could a repair of that help? If the user, is their profile corrupt?
Another thought, is the database the only application that experiences these corruptions? Can the User read and write large random files into that network share reliably. Create a large random file, and run a set of read/write tests.
The drive space clean-up could of course have damaged something with roaming profiles, but impossible to tell from afar. Nonetheless 1.5GB sounds a very small amount of space left.
-
WSTinto Tech
AskWoody LoungerI’d like to see/know if Returnil, DeepFreeze, SteadyState and other programs of such ilk stop this. I know they would easily give the virus itself the boot but I’m wondering if it can do it’s damage while it exists.
Yes they will return the machine to a known stable condition. However, they won’t protect your data.
If the payload is active, your data is encrypted and returning the machine to a default state will not decrypt the data. Currently, the only mechanism to recover your data from a crypto locker infection is by paying the ransom or reverting to an offline backup (after a successful clean-up process).
This is true not just for Windows machines, but for any device that holds data which can be accessed by a mapped network drive – Apple Mac’s, NAS, SAN, Linux boxes, File servers etc. are all at risk if they hold data accessible by a Windows machine under threat.
Presently, the proprietary formats often used by imaging software are not attacked by crypto locker, so a device that contains these backups can be left connected to an attacked machine. I wouldn’t use that as long term mitigation though: it is likely that the threat will develop to attack these files too.
-
WSTinto Tech
AskWoody LoungerYes it should work, but if these machines are not networked, how will they receive the email and how can you be certain the patch has been deployed?
Remember that these software restriction policies are only a temporary block and the threat will likely morph to execute from other locations. In addition to the restriction policies, educate users not to click on things they shouldn’t, deploy proxies and web filtering to prevent access to unnecessary resources and ensure robust and non-local backups are kept and tested.
-
WSTinto Tech
AskWoody LoungerI’ve deployed software restriction policies via GPO (very similar to the CryptoPrevent utility link above) to the hosts on our mixed XP/Win7 network and verified that applications launched from those locations are blocked.
Next thing I want do is to get alerts from the event logs, so I can see when somebody tries to launch something they shouldn’t. I can manually set forwarding of the local event log ID 866 to the server and then trigger an email using task scheduler, but I am trying to get my head round configuring the forwarders via GPO on our XP based hosts automatically (the GPO settings seem only to work in Vista and above – our Win 7 hosts should pick up the GPO just fine). Wonder if anyone has any tips on that?
Looking at our ESET console, we see numerous invoice-abcxyz.pdf.exe and similar attachments being blocked on Exchange, but it won’t take long for somebody somewhere to do something silly, or for the threat to morph and the GPO settings to be come useless.
With pretty much most of our data accessible to the most “click friendly” users, this is one of the few threats that really worries me. We run hourly onsite backups and daily offsite, but it would be a right royal pain to recover all that data across our network. Even after data recovery, I would be apprehensive about our network and the server. :o:
-
WSTinto Tech
AskWoody LoungerThe IP address and subnet mask in the result of your ipconfig probe shows an APIPA address. This means several things:
You have no DHCP server running on your router, but you quite possibly have DHCP configured on your PC. Unless you have a very odd configuration in your router, you won’t be able to route to the internet with that configuration. An APIPA address is automatically generated by Windows to enable Link Local TCP/IP connections when an IP address is not set by either a static IP or a DHCP server.
Therefore, it’s probable something is not right in the config of your PC or maybe your Cisco router.
Lastly, I would not recommend hacking the ISP router on your roof to open the UDP ports required. That’s is going to introduce a big security risk for all the other users of that equipment, quite apart from being illegal in many countries.
-
WSTinto Tech
AskWoody LoungerAssuming you have a daily / weekly backup you can use my favourite tool and recover the entire directory.
Buy (yes, buy) Kroll Ontrack Exchange and Sharepoint Recovery, fire up the Exchange server emulator, restore the data and recover the directories.cheers, Paul
Also take a look at Shadow Protect GRE. Will allow you to mount your backed-up Exchange database and recover anything from the entire database down to a single message entry.
Not cheap, but a lifesaver when handling Exchange mailboxes.
-
WSTinto Tech
AskWoody LoungerOctober 24, 2013 at 5:19 pm in reply to: Windows small business antivirus and anti-malware suggestions? #1418921I’ve encountered big problems with Kaspersky on a small business network in the past, but ESET Endpoint is lightweight on the workstations and has some very nice remote admin console tools that will run on your DC.
-
WSTinto Tech
AskWoody LoungerUse TCP View to inspect all your TCP and UDP endpoints. It will give you the detail you need to know where the traffic is coming from and/or going to.
From there you can isolate processes to find the errant application.
-
WSTinto Tech
AskWoody LoungerJerry, Thank you. I’ll take a look at it. From what I have been told, it will not work instantly to other network computers. I’ll check it out though!
It may need a bit of tweaking to get it working. Take a look at the scripting supplied in my link above if necessary.
Regarding the need to talk to somebody “local” that’s a perfectly valid reason to want to stay in country; but it’s not the same as not trusting somebody because they are not in the same country as you. I use software and services sourced from around the globe: trust is non-geographic, and implying that it is slightly jarred with me.
Anyway, I fear a digression into inappropriate territory, so will leave it at that. Do take a look at the msg command and the supporting scripts, they should do what you want.
-
WSTinto Tech
AskWoody LoungerA sweep of customer’s IP allocations has revealed the following IPs in your range are showing as susceptible to Open Recursive DNS exploits:
82.xx.xxx.xxx
The associated Zen username is: zen22xxxx@zen
Double check the highlighted items above refer to you and your IP address. Do you have a static IP address? If not, it is possible Zen may have discovered a vulnerability on somebody else’s kit and not yours.
To verify it’s your kit. Check your public IP address using whatsmyip.org. Switch off the router, leave it 30 seconds, then switch back on. Verify you have a new IP address using the same web based tool, then run the exploit checker from Zen once more using the new IP address obtained after the router reboot. Do you still have an issue? If not you can sleep tight.
-
WSTinto Tech
AskWoody LoungerTry taking a look at the msg command.
Any reason why you don’t trust services not based in the USA? The internet is global and we don’t bite you know…well, most of us anyway.
-
WSTinto Tech
AskWoody LoungerI’m afraid that if you want to fix it, you are going to have to run some diagnostics.
While the internet is working, open a command prompt (go to Start and enter “CMD” in the Search Programs and Files text box). In the Command Prompt window enter “ipconfig /all” without the quotes and take a note of the result. Then when the problem occurs again, run the same command and compare the two results.
This will establish if you have a network connection issue or a router problem.
If it is a router issue, the best course of action is to swap it out for a known good one. Maybe twist the arm of you ISP to send you a new one.
If it is a network disconnect {you can tell this very easily if the IPv4 address comes back as an APIPA address such as 169.254.x.x as opposed to 192.168.1.1 or similar} then you may have a fault network card in the machine. It’s not clear if it is a laptop or desktop, but assuming a laptop for a moment; if it appears to be a network issue, as identified by the APIPA address above try connecting via the ethernet port while the problem exists and run the ipconfig command again. Do you see an APIPA address on the ethernet port too?
-
WSTinto Tech
AskWoody LoungerYour PC may not be running a web server, but the router is.
The ZyXell USG-20w is a serious bit of kit: much more capable than the average residential router. It has, for example, a remote dial-in capability that will be protected by SSL encryption. This is probably the source of the Port 443 response. It also has the ability to launch an SSH session or to Telnet into the box, which is why Ports 22 and 23 are responding.
To check this, go to whatsmyip.org and make a note of your public IP address. Now, ideally from a machine outside your network (a friend or neighbour) browse to https://{your-ip[/I]}. I would expect to see a router login screen.
Next, turn off the router. Leave the modem switched on and repeat the test above. I expect no response, even though the IP address is live because the modem holds it open.
Is it a worry? Well it depends on how secure the router remote access is? Make sure you have a strong password, or better still if you don’t need them, turn off the remote access tools. Some financial institutions require all low ports to be stealthed before they will allow access to their systems. I recall a visitor to the Lounge here last year had an issue with a bank who would not grant a particular service because his system was responding on a port. That may not be an issue here, but it is worth bearing in mind.
![]() |
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Windows 11 Insider Preview Build 22631.5545 (23H2) released to Release Preview
by
joep517
1 hour, 20 minutes ago -
Windows 10 Build 19045.6029 (22H2) to Release Preview Channel
by
joep517
1 hour, 21 minutes ago -
Best tools for upgrading a Windows 10 to an 11
by
Susan Bradley
7 hours, 13 minutes ago -
The end of Windows 10 is approaching, consider Linux and LibreOffice
by
Alex5723
16 minutes ago -
Extended Windows Built-in Disk Cleanup Utility
by
bbearren
59 minutes ago -
Win 11 24H2 June 2025 Update breaks WIFI
by
dportenlanger
20 hours, 20 minutes ago -
Update from WinPro 10 v. 1511 on T460p?
by
CatoRenasci
9 hours, 52 minutes ago -
System Restore and Updates Paused
by
veteran
22 hours, 51 minutes ago -
Windows 10/11 clock app
by
Kathy Stevens
9 hours, 56 minutes ago -
Turn off right-click draw
by
Charles Billow
1 day, 2 hours ago -
Introducing ChromeOS M137 to The Stable Channel
by
Alex5723
1 day, 5 hours ago -
Brian Wilson (The Beach Boys) R.I.P
by
Alex5723
7 hours, 31 minutes ago -
Master patch listing for June 10, 2025
by
Susan Bradley
1 day, 7 hours ago -
Suggestions for New All in One Printer and a Photo Printer Windows 10
by
Win7and10
10 hours, 5 minutes ago -
Purchasing New Printer. Uninstall old Printer Software First?
by
Win7and10
1 day, 13 hours ago -
KB5060842 Issue (Minor)
by
AC641
1 hour, 19 minutes ago -
EchoLeak : Zero Click M365 Copilot leak sensitive information
by
Alex5723
1 day, 20 hours ago -
24H2 may not be offered June updates
by
Susan Bradley
12 hours, 56 minutes ago -
Acronis : Tracking Chaos RAT’s evolution (Windows, Linux)
by
Alex5723
2 days, 8 hours ago -
June 2025 updates are out
by
Susan Bradley
7 hours, 22 minutes ago -
Mozilla shutting Deep Fake Detector
by
Alex5723
2 days, 23 hours ago -
Windows-Maintenance-Tool (.bat)
by
Alex5723
2 days, 9 hours ago -
Windows 11 Insider Preview build 26200.5641 released to DEV
by
joep517
3 days, 2 hours ago -
Windows 11 Insider Preview build 26120.4250 (24H2) released to BETA
by
joep517
3 days, 2 hours ago -
Install Office 365 Outlook classic on new Win11 machine
by
WSrcull999
3 days, 2 hours ago -
win 10 to win 11 with cpu/mb replacement
by
aquatarkus
2 days, 18 hours ago -
re-install Windows Security
by
CWBillow
3 days, 5 hours ago -
WWDC 2025 Recap: All of Apple’s NEW Features in 10 Minutes!
by
Alex5723
3 days, 9 hours ago -
macOS Tahoe 26
by
Alex5723
3 days, 3 hours ago -
Migrating from win10 to win11, instructions coming?
by
astro46
18 hours, 3 minutes ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.