OICE_15 Folders

After being plagued with hundreds of OICE_15_XXXXXXX folders and the pain in the arse to get rid of them I have decided to make my life a tad easier today.

I have seen these folders being created under AppData in the roaming profiles of users, they get copied up and down as the user logs on and off and ultimately end up causing the roaming profiles not to sync as they are over quota.

I can’t add them to folder exclusions as they are all different and I can’t find a way to move them or stop them being created. We have to delete them as and when we come across them and they are not always easy to delete as some of the file are dot files and windows says it’s not there when you try and delete it! WTF FFS

I normally browse to the folder, shift right click and select `Open Command windows here‘, go into each folder and delete the dot files, then delete the folders. But it takes for bloody ever as I have to do that on the computers and on the server where the OICE_15 folders are.

To make life easier I have added an extra context menu to the right click menu for folders called `KillDOTFiles`

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOTFoldershellkilldotfile]
@="KillDOTFile"
"Icon"=""
[HKEY_CLASSES_ROOTFoldershellkilldotfilecommand]
@=""C:\Windowskilldotfile.bat" %1"

Created a batch file that had the following contents

for %%a in (%1) do set temp=%%~nxa
set OICEDir=%temp:~0,4%
if /I NOT %OICEDir% == OICE (
rem echo No
) ELSE (
rem echo Yes
del %1*.* /q /f
rd %1 /s /q
)

Now all I need to do is highlight the folders, right click and they get deleted.

Ive added a bit of checking to the batch file, as if I give the file to anyone else i do not want to be held liable if they delete the wrong directory! It will happen!!

Why did I not think of doing this before?

QuickTime Issues – Poxy Apple Software

What a waste of 3 days this has been!

A problem was reported to me – someone couldn’t view a webpage with a QuickTime move in it.
Given that QuickTime was in need of an update as it was well out of date, I decided to update it first.

I am really not sure what the hell was going on, but it was plagued with errors. The main one being when I created the deployment package in SCCM it deployed the Apple Application Support MSI but then failed deploying the QuickTime MSI. The Apple Application Support MSI was a dependency of the QuickTime MSI. That worked fine but the QuickTime MSI failed saying that a version of QuickTime was already installed.
So I deployed a clean image to my test machine that included QuickTime and set about deploying the new version of QuickTime. Same error again – a version of QuickTime was detected again. Ok so much for upgrade! So I removed all Apple components and deployed QuickTime again. The same error.
I double checked and went through the registry and removed every Apple reference, went through ProgramData and removed everything Apple and in Program Files and Common Files etc. With everything gone I deployed it again. The same error?!?!

I then decided to run the MSI files manually. The Apple Application Support installed fine, but the QuickTime failed again with the same error.
This time I ran SysInternals Process Monitor to capture everything so I could see what was going on.

Several hours later I came across a registry entry that looked like it was causing the error. I deleted it and run the QuickTime MSI again only to find the registry key was back and so was the error. Now that made no bloody sense at all?
Thankfully I had a weekend to forget about that crap and start a fresh on Monday, which seemed to work as I redone the 2 deployments in SCCM and it then installed Apple Application Support and QuickTime with no issues. I really do not know what happened there, as nothing was different.

So, back to the original reason for doing this, I checked the online video and it still didn’t play.
So after all that faffing I was no further forward!
I then renamed my roaming profile and logged in and tried it again. This time it worked!
I looked through the roaming profiles folder to see what Apple stuff I could find, but as I severely limit what is allowed to roam there was no Apple files / folders there.
I then coped the old registry file over and logged on again – movie didn’t play again.

So the issue was with the registry.
I loaded up regedit and went through all the references to Apple or Quicktime that I could find, deleting all then one at a time then trying the online video again.
I finally came across a key called

HKCU/Software/Microsoft/Internet Explorer/Internet/Registry/REGISTRY/USER
[SID]/SOFTWARE/Apple Computer, Inc./QuickTime/LocalUserPreferences

With a setting called FolderPath that was set to an invalid location.
I changed the location to a valid one and hey presto it worked! FFS

It’s so nice to see Apple software that is enterprise friendly!

A new take on a scam!

Today I woke up to find a Skype message from a ‘female’ asking to add me to their contacts. I had a quick look at their profile which was some burry pixelated picture, no doubt a thumbnail taken from a social media website somewhere and had a quick check of their email address.

So, as I normally like to have a bit of fun I played along for a bit. Asking questions, answering questions, making out that I was rich and single, asking them what they were wearing etc.

I was however surprised when said contact then tried to video call me! Again I thought I’d play along so I disabled my camera and mic and asked them to call me again, telling them to hurry up as I was about to get in the shower.

So they called me and I accepted, ‘she’ asked why she couldn’t see me, to which I replied that I couldn’t see her either.

On closer inspection, the picture of the ‘female’ was the same for 1m 39s even though they were typing and sending me messages.

I’d had enough by then, knowing full well that I was not going to see any boobs, so I sent a quick message saying thank you for the IP address and pointing them to a website that details scammers and their email address, declined the add request, blocked them and reported them as spam.

Cheap crappy scams! If they want money out of me then I need to see the goods first!

CryptoWall – OH, your fucked

My first dealings with a Crypto Variant today, CryptoWall

Someone that I haven`t done any work for for a few years contacted me to ask for some help as they couldn`t open their emails. So I remoted on and took a quick look for them.

First thing that I noticed when the screen loads is 3 files in the middle of the desktop called DECRYPT_INSTRUCTION. Straight off I knew that this was not going to be a good result.

I had a quick read of what it says and then a quick look at the My Documents folder and then proceeded to tell him, in a non technical way, that he was Fucked. I then explained what had happened and told him that there was nothing that I could do, something that I don`t often tell people. I wasn`t going to suggest paying $500 to get it all unencrypted only to find that it didn`t work.
Ironically the only thing that wasn`t encrypted was all of his Sage Accounts!

He asked how it could of happened and after a quick visual check I told him
Well, you are running Windows XP that has out of date virus protection, that would not of helped, you have probably opened up a few dodgy emails with attachments and looked at them. He did say that he has been getting a lot of emails with invoices in them! Oh Dear

Its not often that I cant fix something, but in this case I couldn`t, so I told him to turn off and unplug the computer and buy 2 new ones to replace what he had as they are well out of date and possibly open to more problems!