How to Reset the Counter in *.DAT Files After Recovery from Crypto Ransom Ware Attack

Q - We were recently attacked by Crypto Ransomware.  We did implement the NTFS security based on the following Knowledge Base article:
        http://support.elliott.com/knowledgebase/articles/654601-elliott-8-directory-structure-and-ntfs-rights
However, we still have to restore the DAT files.  The DAT files contain counters like starting order number and starting invoice number.  How do I reset them to the values that match the current *.BTR file values?

A - The following is a list of *.DAT files that may be attacked by CryptoWall or CryptoLocker Ransom Ware:

APCTLFIL.DAT: This file contains information in A/P Setup.  The counter you need to reset is "13. Last Voucher Number Used?" You can find this value by following this procedure:
  • Go to New A/P Transaction Processing and print edit list.  If there are any transactions in the New A/P Trandaction edit list, then find the last voucher number used. 
  • If there's nothing in New A/P Transaction Processing, bring up the Pervasive control center, find the APOPN_VHR table, and execute the following SQL statement - select top 10 ap_open_voucher_no_v from "APOPNFIL_VHR" where ap_open_voucher_code = 'V' order by ap_open_voucher_no_v desc 
  • The last 10 vouchers used should show up.  The reason we choose to show the last 10 vouchers is because you could manually assign vouchers.  Showing the last 10 vouchers can help you to identify if that is your situation and help you to avoid drawing the wrong conclusions.
ARCTLFIL.DAT: This file contains information in A/R Setup.  The counter you need to reset is "1. Starting Invoice No."  You should first check to see if you have any unposted invoices in the CPORDHDR table.  You can find that out with the following procedure:
  • Use this SQL statement in Pervasive control center - select top 10 order_no, order_invoice_no, order_invoice_date from "CPORDHDR" where order_selection_code = 'X' order by order_invoice_no desc
  • If nothing shows up with the above SQL statement, it means all invoices are posted.  Then you need to use the following SQL statement to find it from the CPINVHDR table - select top 10 inv_no from cpinvhdr order by inv_no desc
  • Alternatively, you can go to COP -> Inquiry -> Invoice History Inquiry -> Inquiry -> Invoice Inquiry by Invoice.  Hit F1 at the customer number field, and then hit F1 to show the latest invoices.
BMCTLFIL.DAT: This file contains the BOMP Setup.  The counters you need to reset are:
  • "3. Next Legacy Work Order No"
  • "4. Next Engineering Change No"
  • "5. Next Material Work Order No"
  • "6. Next Plus Work Order No"
Depending on the features you use in BOMP module, you may not need to recover all of them.  For example, if you don't use Plus Work Order, then you don't need to recover the value of "6. Next Plus Work Order No".  The following is the procedure you can use to recover these values:
  • You can use the following SQL statement to recover legacy work order numbers - select top 10 prd_ord_order_no from bmordfil where prd_ord_order_type = 'O' order by prd_ord_order_no desc
  • Similarly, you can use the following SQL statement to recover material work order numbers - select top 10 prd_ord_order_no from bmordfil where prd_ord_order_type = 'M' order by prd_ord_order_no desc  
  • Similarly, you can use the following SQL statement to recover plus work order numbers -  select top 10 prd_ord_order_no from bmordfil where prd_ord_order_type = 'P' order by prd_ord_order_no desc
  • If you are using BOMP engineering change processing, you can find engineering changes by going to BOMP -> Processing -> Engineering Change Processing -> List.  If there are any entries, you will find the last Engineering Change No there.
  • If there is nothing in the Engineering Change Edit List, you can find out the last engineering change from history by using the following SQL statement - select top 10 eng_chg_hst_chg_no from bmenghst order by eng_chg_hst_chg_no desc
COMPFILE.DAT: This file contains both company setup and G/L setup.  It is unlikely that company setup would have any changes.  The counter values you need to recover in G/L Setup are "4. Starting Journal History No" and "5. Starting Transaction ID No."  You can use the following procedure to find this vale:
  • Go to G/L -> Reports -> Journal History Report. Print all packages for the last few days (a few days ahead of your backup date till now).  Look through each section.  The journal source looks like XX9999.  The largest 9999 will be at the end of each section.  Find the largest 9999 value among all sections.  That value + 1 will be the value for "4. Starting Journal History No."
  • Go to G/L -> Processing -> General Journal Trx Processing -> Entry-List.  If you have an unposted G/L Journal Trx in the edit list, you can find the last G/L Transaction ID used.
  • If there are no entries in the G/L Journal Trx edit list, then you will have to recover this value from the General Ledger table.  You can use the following SQL statement - select top 10 gl_trx_id from "GLTRXFIL" order by gl_trx_id desc
CPCTLFIL.DAT: This file contains the COP Setup.  The counter you need to reset is "1. Staring Order Number." You can find out this value by going to COP -> Inquiry -> Order Inquiry -> Inquiry -> Order Inquiry by Customer/Order.  At the customer field, press F1. Then, at the order field, press F2. This will be bring up the orders by reverse order number sequence.  The F2 key will ensure that even the posted orders will show up.

CPHSTPRD.DAT: This is the setting in COP -> Maintenance -> Sales Hist Period File. Unless the restoration of this file is over the month-end, the value in this file will not be changed.  If it is over the month-end period, you can simply go to this menu and change the current period.

GLFSPASS.DAT: There is no counter to recover from this table.  So you can simply restore the DAT files and nothing needs to be done.

GLPRDFIL.DAT: This and the GLPRDV66.DAT files comprise the G/L Period File.  You can access them by going to G/L -> Maintenance -> Accounting Period File.  Unless the restoration of this file is over the month-end period, the value in this file will not be changed.  If it is over the month-end period, you can simply go to the menu and change the current period accordingly.

GLPRDV66.DAT: See previous instructions for GLPRDFIL.DAT. 

IMATP001.DAT:  There is no counter to recover from this table.  So you can simply restore the DAT files and nothing needs to be done.

POCTLFIL.DAT: This is the setting in PO Setup. The counter you need to reset is "1. Starting Purchase Order No."  You can find out this value by going to PO -> Inquiry -> Purchase Order Inquiry -> Inquiry.  At  theVendor No. field, press F1. At the P.O. No field, press F1.  Then the Purchase Order will be displayed in the reverse sequence of PO number.

TERMBAL.DAT:  There is no counter to recover from this table.  So you can simply restore the DAT files and nothing needs to be done.

Grant Users Modify Right to *.DAT After Restore the DAT Files
Also, keep in mind that after you restore the *.DAT files, you will need to give your users modify right access by using commands like the following:'
    ICACLS *.dat /grant everyone:M

EMK

Feedback and Knowledge Base