Re: Fake antivirus

[kz20fl]

Get autoruns out and find out where the entry point is

Sent from my BlackBerry® wireless device

-Original Message-
From: "John Aldrich" 
Date: Thu, 16 Jun 2011 22:14:20 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: RE: Fake antivirus

This came in handy today... I got a call right after lunch today (Thursday)
about a computer that was showing the symptoms. I used RKILL to get rid of
the active process and then cleaned it with MBAM and followed the
instructions in the link. However, this particular variant appears to have
had a tag-along that MBAM did not find and so far Vipre has not found...
some sort of adware. Ads keep popping up all the time on the desktop and
iexplore.exe is running in the background.

Any suggestions?



From: Tammy Stewart [mailto:copper...@personainternet.com] 
Sent: Thursday, June 16, 2011 12:07 PM
To: NT System Admin Issues
Subject: RE: Fake antivirus

Good to hear Mike,

Just in case some others missed it –
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=
7944&enterthread=y

If still getting redirects after the rogue exes have been removed – it is
usually volsnap.sys that is compromised. Replacing with known good copy from
recovery console/barts/UBCD/etc will take care of that issue.

If still active – avoid logging in with admin privs if possible & use
process explorer to kill the rogue, rename it etc. (run as)
Logging in with admin privs will surely mangle volsnap.sys.

Cheers!

Tammy


From: Mike Sullivan [mailto:neog...@gmail.com] 
Sent: Thursday, June 16, 2011 10:12 AM
To: NT System Admin Issues
Subject: Re: Fake antivirus

I ran into this on Monday, at least I have my users locked down and they
only saw the message that the hard drive was failing and their shortcuts
disappeared. I followed Tammy's instructions and had it cleaned up pronto! 
On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:
I've run into a nice variant of this just this morningthe window is
titled, "Windows Vista Restore" and the caption at the top of the window
says, "PC Performance & Stability analysis report". It is telling me hat the
hard drive is failing and that private data is at risk.

When I went into the root of C:. it only showed one file, named
bootsect.bak. After I chose to display all hidden and os files,
viola,everything in C: and on the desktop appeared.

What a way to start a Thursday - at least it isn't Monday!

JR
On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
Try setting him up with ClearCloudDNS - might help prevent future
infections.


Roger Wright
___

"Formula for success: rise early, work hard, strike oil." - J. Paul Getty





On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
 wrote:
> Thanks... This particular user is unlucky enough to have teenagers who use
> his computer. My guess is they are visiting infected/hostile/0wned sites
and
> that's how he's getting infected. Never really had a problem when he was
> working here, so I'm suspecting it's some of his grandkids that are
causing
> the problem.
>
> As I have not yet seen the problem, I don't know if it's going to be easy
or
> difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>
> Thanks again!
>
>
>
> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: Friday, June 03, 2011 10:31 AM
> To: NT System Admin Issues
> Subject: Re: Fake antivirus
>
> May be time to invest in some UAT (user awareness training). Continual
> re-infestation either means he is unlucky, or gung-ho in his browsing.
>
> I've had some fake AVs recently which were ridiculously easy to get rid of
> (kill process, delete files, remove autorun entry). Others have been more
> stealthy - such as killing targeted windows like Task Manager. Booting
into
> safe mode usually prevents these extra "features" from bothering you.
>
> But as with everything - a reimage may be the only way to be sure.
> On 3 June 2011 15:26, John Aldrich  wrote:
> I'm going to go to a former co-worker's this afternoon to clean his system
> (again) from another fake antivirus infestation. I've already got Vipre
> Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't
> had to deal with any fake antivirus in a few weeks. Just wondering if they
> have developed any new tricks recently that I should be aware of?
>
> Oh, this user had Vipre Home on his PC, and got infested anyway. Should I
> submit samples to Sunbelt (assuming I can find where they're
quarantined)???
>
> Thanks!
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the

RE: file copying

[Level 5 Lists]

Yah, maybe it was robocopy I ran through. It was odd, I did a whole shared 
folder that had dozens of sub folders with different ACLs. I watched it for a 
few minutes and then randomly spot checked a few files, it looked good. The 
next business day several people complained they couldn't get to files they 
needed and one of my techs had to go back and reset perms on a lot of them ..

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Thursday, June 16, 2011 11:32 PM
To: NT System Admin Issues
Subject: Re: file copying

XCOPY /O

ROBOCOPY





ASB (Professional Bio)
Harnessing the Advantages of Technology for the SMB market...


On Thu, Jun 16, 2011 at 9:31 PM, Level 5 Lists 
mailto:li...@levelfive.us>> wrote:
I have a client that we need to migrate about 2tb of data. I recently used 
xcopy gui but it didn't seem to bring a lot of permissions over and I had to go 
back through and redo it.

I also played with the Richcopy but it would always hang up, I couldn't just 
select the root folder and have it successfully copy that much data.

Im willing to purchase something if anyone has anything that just works. I need 
permissions mainly, not overly worried about timestamps, but ACL is required.

Thx




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Dear Dell

[Ryan Finnesey]

I would be curious to know the size of the companies.  I will soon be
building out 9 data centers and I need to decide if I want to go Dell or
HP.  Right now, I am thinking HP.

 

From: Sam Cayze [mailto:sca...@gmail.com] 
Sent: Monday, June 06, 2011 5:33 PM
To: NT System Admin Issues
Subject: RE: Dear Dell

 

Just noticed this too.  I was not notified by Dell about my last reorg
of reps.

 

Way too many account changes IMO.  Every couple of months lately.  And
every time they want a 30 minute conference call to learn about our
business.  They should store our info in CRM or something and just pass
it onto the next team, because I kindly decline those calls now.  

 

I've been ordering more and more from CDW and Amazon, unless its Dell
branded.  The premier page KILLS me.  Slow as heck, and WAY too many
clicks to place an order.  CDW/Amazon are 1 or 2 clicks to place an
order.  

Time is money.

 

Currently, the parts department contacted me to return a warrantied part
they shipped out a few days ago.

That's odd, I haven't had a support/warranty case open in months.  Sigh.

 

Sam

 

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Monday, June 06, 2011 1:50 PM
To: NT System Admin Issues
Subject: OT: Dear Dell

 

If you have a massive wide reorganization of account reps to match up
with geographical location, please notify your customers, it's just good
customer service[1].

Also, if you fail to do that, please at least quote the order correctly
the first time.  Quotes with items missing, quantities wrong on multiple
products "don't look too good."[2]

One last thing.  Do not quote me pricess in excess of what I see on the
premier page, if the only thing I want you to do is to give me a media
CD.

 

[1] Sometimes your customers have their own situations to deal with, you
can exacerbate an already bad situation by ignoring your customers[3]

[2] I'm aware of the grammar.  Use a southern accent and it's all good.

[3] Wonder if I should just shelve the purchase, and pursue Lenovo after
I get back from vacation.

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: file copying

[Andrew S. Baker]

XCOPY /O

ROBOCOPY



*ASB *(Professional Bio )
Harnessing the Advantages of Technology for the SMB market...




On Thu, Jun 16, 2011 at 9:31 PM, Level 5 Lists  wrote:

> I have a client that we need to migrate about 2tb of data. I recently used
> xcopy gui but it didn’t seem to bring a lot of permissions over and I had to
> go back through and redo it.
>
> ** **
>
> I also played with the Richcopy but it would always hang up, I couldn’t
> just select the root folder and have it successfully copy that much data.
> 
>
> ** **
>
> Im willing to purchase something if anyone has anything that just works. I
> need permissions mainly, not overly worried about timestamps, but ACL is
> required.
>
> ** **
>
> Thx
>
> ** **
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Fake antivirus

[John Aldrich]

This came in handy today... I got a call right after lunch today (Thursday)
about a computer that was showing the symptoms. I used RKILL to get rid of
the active process and then cleaned it with MBAM and followed the
instructions in the link. However, this particular variant appears to have
had a tag-along that MBAM did not find and so far Vipre has not found...
some sort of adware. Ads keep popping up all the time on the desktop and
iexplore.exe is running in the background.

Any suggestions?



From: Tammy Stewart [mailto:copper...@personainternet.com] 
Sent: Thursday, June 16, 2011 12:07 PM
To: NT System Admin Issues
Subject: RE: Fake antivirus

Good to hear Mike,

Just in case some others missed it –
http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76&threadid=
7944&enterthread=y

If still getting redirects after the rogue exes have been removed – it is
usually volsnap.sys that is compromised. Replacing with known good copy from
recovery console/barts/UBCD/etc will take care of that issue.

If still active – avoid logging in with admin privs if possible & use
process explorer to kill the rogue, rename it etc. (run as)
Logging in with admin privs will surely mangle volsnap.sys.

Cheers!

Tammy


From: Mike Sullivan [mailto:neog...@gmail.com] 
Sent: Thursday, June 16, 2011 10:12 AM
To: NT System Admin Issues
Subject: Re: Fake antivirus

I ran into this on Monday, at least I have my users locked down and they
only saw the message that the hard drive was failing and their shortcuts
disappeared. I followed Tammy's instructions and had it cleaned up pronto! 
On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:
I've run into a nice variant of this just this morningthe window is
titled, "Windows Vista Restore" and the caption at the top of the window
says, "PC Performance & Stability analysis report". It is telling me hat the
hard drive is failing and that private data is at risk.

When I went into the root of C:. it only showed one file, named
bootsect.bak. After I chose to display all hidden and os files,
viola,everything in C: and on the desktop appeared.

What a way to start a Thursday - at least it isn't Monday!

JR
On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
Try setting him up with ClearCloudDNS - might help prevent future
infections.


Roger Wright
___

"Formula for success: rise early, work hard, strike oil." - J. Paul Getty





On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
 wrote:
> Thanks... This particular user is unlucky enough to have teenagers who use
> his computer. My guess is they are visiting infected/hostile/0wned sites
and
> that's how he's getting infected. Never really had a problem when he was
> working here, so I'm suspecting it's some of his grandkids that are
causing
> the problem.
>
> As I have not yet seen the problem, I don't know if it's going to be easy
or
> difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>
> Thanks again!
>
>
>
> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: Friday, June 03, 2011 10:31 AM
> To: NT System Admin Issues
> Subject: Re: Fake antivirus
>
> May be time to invest in some UAT (user awareness training). Continual
> re-infestation either means he is unlucky, or gung-ho in his browsing.
>
> I've had some fake AVs recently which were ridiculously easy to get rid of
> (kill process, delete files, remove autorun entry). Others have been more
> stealthy - such as killing targeted windows like Task Manager. Booting
into
> safe mode usually prevents these extra "features" from bothering you.
>
> But as with everything - a reimage may be the only way to be sure.
> On 3 June 2011 15:26, John Aldrich  wrote:
> I'm going to go to a former co-worker's this afternoon to clean his system
> (again) from another fake antivirus infestation. I've already got Vipre
> Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't
> had to deal with any fake antivirus in a few weeks. Just wondering if they
> have developed any new tricks recently that I should be aware of?
>
> Oh, this user had Vipre Home on his PC, and got infested anyway. Should I
> submit samples to Sunbelt (assuming I can find where they're
quarantined)???
>
> Thanks!
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke
such
> a question."
>
> IMPORTANT: The information in this email is CONFIDENTIAL. If its contents
> are disclosed in any way my lawyers will swoop down from bl

Re: file copying

[Jonathan Link]

robocopy   /mir /r:1 /w:10 /sec
As a scheduled task, too.
Repeat as necessary until you're ready to switch everyone over. Retries once
on a problem, and waits 10 seconds between retries.  I used it to stage data
that was being in use from direct storage to our SAN.  dat store is only
about 500 GB, though.  Final pass took about 5 minutes when I was able to
take everyone off line and minimize downtime.

On Thu, Jun 16, 2011 at 9:31 PM, Level 5 Lists  wrote:

>  I have a client that we need to migrate about 2tb of data. I recently
> used xcopy gui but it didn’t seem to bring a lot of permissions over and I
> had to go back through and redo it.
>
>
>
> I also played with the Richcopy but it would always hang up, I couldn’t
> just select the root folder and have it successfully copy that much data.
>
>
>
> Im willing to purchase something if anyone has anything that just works. I
> need permissions mainly, not overly worried about timestamps, but ACL is
> required.
>
>
>
> Thx
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: file copying

[Michael B. Smith]

I moved over 6TB for a client earlier this year with robocopy. We moved it in 
stages, but if you have got gigE between the servers, you can run multiple 
robocopies at once, up to the limits of your I/O subsystems.

If you need file diffs, take a look at DeltaCopy and cwRsync.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Level 5 Lists [mailto:li...@levelfive.us]
Sent: Thursday, June 16, 2011 9:32 PM
To: NT System Admin Issues
Subject: file copying

I have a client that we need to migrate about 2tb of data. I recently used 
xcopy gui but it didn't seem to bring a lot of permissions over and I had to go 
back through and redo it.

I also played with the Richcopy but it would always hang up, I couldn't just 
select the root folder and have it successfully copy that much data.

Im willing to purchase something if anyone has anything that just works. I need 
permissions mainly, not overly worried about timestamps, but ACL is required.

Thx


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: [Bulk] file copying

[Orland, Kathleen]

Tried Robocopy? 

 

From: Level 5 Lists [mailto:li...@levelfive.us] 
Sent: Thursday, June 16, 2011 9:32 PM
To: NT System Admin Issues
Subject: [Bulk] file copying

 

I have a client that we need to migrate about 2tb of data. I recently used
xcopy gui but it didn't seem to bring a lot of permissions over and I had to
go back through and redo it.

 

I also played with the Richcopy but it would always hang up, I couldn't just
select the root folder and have it successfully copy that much data. 

 

Im willing to purchase something if anyone has anything that just works. I
need permissions mainly, not overly worried about timestamps, but ACL is
required.

 

Thx

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

  _  

No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1382 / Virus Database: 1513/3708 - Release Date: 06/16/11


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: computer password question

[Michael B. Smith]

I think it depends on how long the VPN is connected. But in general, I agree 
with you (presuming we are not referring to single-factor DirectAccess).

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Thursday, June 16, 2011 7:42 PM
To: NT System Admin Issues
Subject: Re: computer password question

It depends

If the logon happens after the computer makes the connection to a DC,
then the computer account password will update. Some VPN drivers will
make a firewall and network connection before the user sees the logon
prompt.

Someone should correct me here, but I believe that if you're launching
the VPN connection with the user logon, the computer account won't
update without manual intervention, such as executing a netdom command
once the tunnel is established.

On Thu, Jun 16, 2011 at 15:15, Neil Standley  wrote:
> Does anyone know if the computer account password will update if the domain
> user only logs in over dial up (PPTP) VPN?
>
> I haven’t been able to find a definitive answer to this yet.
>
>
>
> DC is SBS 2008 SP2
>
> Client is Vista SP2
>
> VPN is established at the interactive (ctrl-alt-del) login screen
>
>
>
>
>
>
>
> Mucho gracias.
>
> Neil
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: computer password question

[Kurt Buff]

It depends

If the logon happens after the computer makes the connection to a DC,
then the computer account password will update. Some VPN drivers will
make a firewall and network connection before the user sees the logon
prompt.

Someone should correct me here, but I believe that if you're launching
the VPN connection with the user logon, the computer account won't
update without manual intervention, such as executing a netdom command
once the tunnel is established.

On Thu, Jun 16, 2011 at 15:15, Neil Standley  wrote:
> Does anyone know if the computer account password will update if the domain
> user only logs in over dial up (PPTP) VPN?
>
> I haven’t been able to find a definitive answer to this yet.
>
>
>
> DC is SBS 2008 SP2
>
> Client is Vista SP2
>
> VPN is established at the interactive (ctrl-alt-del) login screen
>
>
>
>
>
>
>
> Mucho gracias.
>
> Neil
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Proliant RAID config question

[Andrew S. Baker]

Since you have a *couple* of servers, you should be fine.  (More precisely,
you have 4 drives)


Assuming you don't like the advice already provided (or it somehow fails to
work, which I think will be very unlikely), you can try another exciting
option:

   - Take 3 drives, and create your RAID1 with hotspare.
   - Then remove 2 of the drives, and in conjunction with the one free
   drive, do the same thing on the other server
   - Now, take out the newest "hotspare" and put it back with server 1

Loads of fun and a cool experience.


BTW, are the servers so remote that you really need a hotspare for RAID1?


*ASB *(Professional Bio )
Harnessing the Advantages of Technology for the SMB market...




On Thu, Jun 16, 2011 at 3:31 PM, Paul Gordon wrote:

> I'm building a couple of DL360's that have been delivered with 1 hard drive
> too few... - each should have 3 drives, for a RAID1 plus 1 hot-spare
> config.. - only two drives per server are currently available...
>
> I'm thinking that I Can go ahead & build the RAID1 array, then come back &
> add a hot spare to that later without having to trash & rebuild the whole
> array... - but having been bitten by such assumptions in the past, it would
> be nice to have that confirmed or denied as appropriate..
>
> So does anyone know, - definitely - on a DL360 G7, with embedded
> smart-array
> controller, can I add a hot-spare to an existing array that doesn't
> currently have one, without any effect on the array itself?
>
> TIA
>
> Paul G.
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Resetting Domain Administrator password - Server 2008 R2

[Ben N]

I inherited this :) won't be like this going forward you can bet!

On Thu, Jun 16, 2011 at 1:26 PM, Steven Peck  wrote:

> It may just be time to build and document it right as awful as that option
> seems to be.  You gain the long term benefit o fknow exactly what the
> environment is now.
>
>
> On Thu, Jun 16, 2011 at 12:31 PM, Ben N  wrote:
>
>> No this is like a onsite user demo environment, but on a bigger scale. 2
>> Physical hosts and about a dozen VMs.. it is no way a copy of our production
>> AD.
>>
>>
>> On Thu, Jun 16, 2011 at 12:29 PM, Guyer, Don wrote:
>>
>>> If this is going to be a copy of your live AD environment, any way you
>>> can back the live up to a DVD (or other media) and restore it into this
>>> environment?
>>>
>>> ** **
>>>
>>> I know, not a “quick” solution…
>>>
>>> ** **
>>>
>>> J
>>>
>>> ** **
>>>
>>> *Don Guyer*
>>>
>>> Windows Systems Engineer
>>>
>>> RIM Operations Engineering Distributed – A Team, Tier 2
>>>
>>> Enterprise Technology Group
>>>
>>> *Fiserv*
>>>
>>> don.gu...@fiserv.com
>>>
>>> Office: 1-800-523-7282 x 1673
>>>
>>> Fax: 610-233-0404
>>>
>>> www.fiserv.com
>>>
>>> ** **
>>>
>>> *From:* Ben N [mailto:bennordlan...@gmail.com]
>>> *Sent:* Thursday, June 16, 2011 3:22 PM
>>>
>>> *To:* NT System Admin Issues
>>> *Subject:* Re: Resetting Domain Administrator password - Server 2008 R2*
>>> ***
>>>
>>> ** **
>>>
>>> No one else that works here still was a DA. These servers have been off
>>> for almost a year. I don't want to have to rebuilt AD.+
>>>
>>> ** **
>>>
>>> -Ben
>>>
>>> On Thu, Jun 16, 2011 at 12:18 PM,  wrote:
>>>
>>> No one else was a DA ?
>>> --
>>>
>>>  
>>>
>>> ** **
>>>
>>>
>>>
>>>
>>>
>>> From:Ben N 
>>> To:"NT System Admin Issues" <
>>> ntsysadmin@lyris.sunbelt-software.com>
>>> Date:06/16/2011 03:17 PM
>>> Subject:Resetting Domain Administrator password - Server 2008 R2
>>> 
>>> --
>>>
>>>
>>>
>>>
>>> So i have an old set of servers as VMs. They had their own AD servers as
>>> well, but no one remembers the logon or work here anymore.
>>>
>>> I am trying to go through and reset the the domain administrator account
>>> password. I have already blanked out the machine useraccount, so i can
>>> reboot, F8, pick directory restore, and logon that way.
>>>
>>> I'm using the srvany.exe method, using a complex password. It doesn't
>>> seem to work. Anyone have luck with this in the past?
>>>
>>> I'm following directions from here:
>>>
>>> http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
>>>
>>> But i thought it was odd he had D:\temp\cmd.exe instead of
>>> c:\windows\system32\cmd.exe...  So i using Robert STrom's script file
>>> instead and that looks good to me.
>>>
>>> I've checked the registry setting for the service, looks good. Service
>>> looks good, although i had to manually check that interactive option on the
>>> Logon (2nd) tab.
>>> But every time i boot this server up.. wait a few minutes. my new
>>> password isn't taking. I wish i knew if there was some kind of error message
>>> or something so i can see if there is am mistake somewhere.
>>>
>>> or i'm open to other ideas on how to do this same thing.
>>>
>>> -Ben 
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin 
>>>
>>>
>>> The information contained in this e-mail, and any attachment, is
>>> confidential and is intended solely for the use of the intended recipient.
>>> Access, copying or re-use of the e-mail or any attachment, or any
>>> information contained therein, by any other person is not authorized. If you
>>> are not the intended recipient please return the e-mail to the sender and
>>> delete it from your computer. Although we attempt to sweep e-mail and
>>> attachments for viruses, we do not guarantee that either are virus-free and
>>> accept no liability for any damage sustained as a result of viruses.
>>>
>>> Please refer to http://disclaimer.bnymellon.com/eu.htm for certain
>>> disclosures relating to European legal entities.
>>>
>>> ** **
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>> ** **
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>> ---
>>> To manage subscriptions cli

RE: [OT] SCOM cracks me up.

[Steven M. Caesare]

That's just an estimate. It might be slightly less than that.

-sc

> -Original Message-
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Wednesday, June 15, 2011 9:42 AM
> To: NT System Admin Issues
> Subject: [OT] SCOM cracks me up.
> 
> Sometimes these alerts just make me chuckle. Apparently I have a file
server
> that is 8171 years behind on logging events.
> 
> 
> Last modified time: 6/15/2011 6:28:35 AM Alert description: The
Windows
> Event Log Provider monitoring the Application Event Log is 4294967294
> minutes behind in processing events.  This can occur when the provider
is
> restarted after being offline for some time, or there are too many
events to
> be handled by the workflow.
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here: http://lyris.sunbelt-
> software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: [OT] Citibank worse at security than Sony

[Steven M. Caesare]

> But things always go wrong in large IT shops.

True... but it's useful to try and limit those failures to new and fun
events, as opposed to basic stuff that's in "Secure site design 101",
because failures of that nature when you are as high profile as Citibak
would likely indicate failures on multiple fronts: vetting design firms,
defense in depth implementation, pen-testing, etc...

-sc

> -Original Message-
> From: Ken Schaefer [mailto:k...@adopenstatic.com]
> Sent: Wednesday, June 15, 2011 8:17 AM
> To: NT System Admin Issues
> Subject: RE: [OT] Citibank worse at security than Sony
> 
> You can push all you like. But it's not your area of expertise. So you
rely on
> other people to tell you that the app works well. Things will always
still slip
> through the cracks.
> 
> I'm not trying to excuse this - it looks pretty amateurish. But things
always go
> wrong in large IT shops.
> 
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Wednesday, 15 June 2011 7:55 PM
> To: NT System Admin Issues
> Subject: Re: [OT] Citibank worse at security than Sony
> 
> On Wed, Jun 15, 2011 at 7:39 AM, Ken Schaefer 
> wrote:
> > Hmm - at the individual application development level, in a large
org,
> > no one cares about shareholder value.
> 
>   That's why the people at the top need to be the ones pushing for
security.
> It can't be driven from the bottom.
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here: http://lyris.sunbelt-
> software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: [OT] Citibank worse at security than Sony

[Steven M. Caesare]

Egads.

And oof.

-sc

> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Tuesday, June 14, 2011 11:36 PM
> To: NT System Admin Issues
> Subject: [OT] Citibank worse at security than Sony
> 
>   So... 200,000 or so Citigroup customers have had their person info
stolen.
> Someone logged in to one account properly, then changed the account
> number in the URL to someone else, and the site happily served up that
> account instead.  I hesitate to even call the first party an
"attacker".  Is it
> really an attack if the bank just leaves a pile of money sitting on
the sidewalk
> and someone takes it?
> 
> http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-
> broke-door-using-banks-website.html
> 
>   Some banker fat cats need to go to jail for this.  This is
incompetence of the
> highest order.
> 
> -- Ben
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here: http://lyris.sunbelt-
> software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Proliant RAID config question

[Cameron]

Just as a thought...build one for grins & giggles and then try and add the
hot spare (I seem to recall doing something similar in the past couple of
years and didn't have any problems)...worst case...you're redoing one server

Cheers,
Cameron

On Thu, Jun 16, 2011 at 3:55 PM, Eric Wittenberg
wrote:

> Of all the RAID controllers I've worked with (Proliant server and Dell
> PowerEdge) there has never been a problem adding a hotspare. Most will even
> allow you to migrate the hotspare into the array (raid 1) and migrate it to
> raid 5 while it is live without data loss.
>
> Eric Wittenberg
>
>
>
> On Thu, Jun 16, 2011 at 1:31 PM, Paul Gordon wrote:
>
>> I'm building a couple of DL360's that have been delivered with 1 hard
>> drive
>> too few... - each should have 3 drives, for a RAID1 plus 1 hot-spare
>> config.. - only two drives per server are currently available...
>>
>> I'm thinking that I Can go ahead & build the RAID1 array, then come back &
>> add a hot spare to that later without having to trash & rebuild the whole
>> array... - but having been bitten by such assumptions in the past, it
>> would
>> be nice to have that confirmed or denied as appropriate..
>>
>> So does anyone know, - definitely - on a DL360 G7, with embedded
>> smart-array
>> controller, can I add a hot-spare to an existing array that doesn't
>> currently have one, without any effect on the array itself?
>>
>> TIA
>>
>> Paul G.
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Capturing video from YouTube?

[Steven M. Caesare]

For file format support VLC is good. For accuracy and quality, Media Player 
Classic - Home Cinema edition is hard to beat (especially with the madVR 
renderer), and nearly as flexible for file formats.

-sc

> -Original Message-
> From: John Cook [mailto:john.c...@pfsf.org]
> Sent: Monday, June 13, 2011 8:17 PM
> To: NT System Admin Issues
> Subject: Re: Capturing video from YouTube?
> 
> Plus there's a portable version. I keep a copy on a jump drive at all times.
> John W. Cook
> Systems Administrator
> Partnership for Strong Families
> 
> - Original Message -
> From: Kurt Buff 
> To: NT System Admin Issues 
> Sent: Mon Jun 13 20:04:53 2011
> Subject: Re: Capturing video from YouTube?
> 
> Best player (in my limited experience!) is VLC, and it works really well with
> FLV, and runs on both Windows and *nix. Absolutely worth having.
> 
> Kurt
> 
> On Mon, Jun 13, 2011 at 12:41, John Aldrich 
> wrote:
> > Well, for one, youtube stores the files in .FLV format, and not too
> > many players I've found understand that format. :D
> >
> >
> >
> > From: Micheal Espinola Jr [mailto:michealespin...@gmail.com]
> > Sent: Monday, June 13, 2011 3:38 PM
> > To: NT System Admin Issues
> > Subject: Re: Capturing video from YouTube?
> >
> > +1
> >
> > --
> > ME2
> >
> >
> >
> >
> > On Mon, Jun 13, 2011 at 9:17 AM, Joseph L. Casale
> >  wrote:
> > Uh, that would degrade the quality significantly?
> > Why not dump the actual movie file sent to you from youtube?
> >
> > From: Rod Trent [mailto:rodtr...@myitforum.com]
> > Sent: Monday, June 13, 2011 10:19 AM
> >
> > To: NT System Admin Issues
> > Subject: RE: Capturing video from YouTube?
> >
> > There are multiple YouTube downloaders out there, but you have to be
> > careful.  Some contain scumware.
> >
> > The safest way is to use something like SnagIT to capture/record the
> > video while it’s playing.
> >
> > From: James Rankin [mailto:kz2...@googlemail.com]
> > Sent: Monday, June 13, 2011 12:10 PM
> >
> > To: NT System Admin Issues
> > Subject: OT: Capturing video from YouTube?
> >
> > Is there any way to "snag" a video from YouTube or other online site?
> > I know there are various copyright issues attached to this, but it's
> > just that one of my little lads is obsessed with planes (mostly the
> > F14, for some reason) and loves to watch a particular video of it.
> > It's just that booting up my laptop, attaching it to the TV, switching
> > the TV to VGA mode, and then firing up the video for him is a bit of a
> > chore, and I was just wondering if anyone knew any way it could be
> streamlined.
> >
> >
> > TIA,
> >
> >
> >
> > JRR
> >
> > --
> > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
> > into the machine wrong figures, will the right answers come out?' I am
> > not able rightly to apprehend the kind of confusion of ideas that
> > could provoke such a question."
> >
> > IMPORTANT: The information in this email is CONFIDENTIAL. If its
> > contents are disclosed in any way my lawyers will swoop down from
> > black helicopters like Seal Team Six and drag you away with a black
> > bag over your head. They will then take you to a secret prison and
> > make you fight to the death with other people who dared to share this
> > email. You will be given a large bowie knife and a supply of
> > methamphetamines while I watch the said deathmatch and wager vast
> sums
> > of money on who will be the winner. If the fight becomes boring or
> > there is a stalemate, I will release rabid dogs and my two-stone cat
> > into the arena to liven things up a bit. If these animals become in
> > any way docile, I will squirt them with water pistols until they become a 
> > bit
> more temperamental.
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-soft

RE: Resetting Domain Administrator password - Server 2008 R2

[Michael B. Smith]

DaRT and ERD should both be able to handle this.

That being said, I've used the DSRM/service-account and DSRM/at-cmd solutions 
both before, with success.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Steven Peck [mailto:sep...@gmail.com]
Sent: Thursday, June 16, 2011 4:27 PM
To: NT System Admin Issues
Subject: Re: Resetting Domain Administrator password - Server 2008 R2

It may just be time to build and document it right as awful as that option 
seems to be.  You gain the long term benefit o fknow exactly what the 
environment is now.
On Thu, Jun 16, 2011 at 12:31 PM, Ben N 
mailto:bennordlan...@gmail.com>> wrote:
No this is like a onsite user demo environment, but on a bigger scale. 2 
Physical hosts and about a dozen VMs.. it is no way a copy of our production AD.

On Thu, Jun 16, 2011 at 12:29 PM, Guyer, Don 
mailto:don.gu...@fiserv.com>> wrote:
If this is going to be a copy of your live AD environment, any way you can back 
the live up to a DVD (or other media) and restore it into this environment?

I know, not a "quick" solution...

:)

Don Guyer
Windows Systems Engineer
RIM Operations Engineering Distributed - A Team, Tier 2
Enterprise Technology Group
Fiserv
don.gu...@fiserv.com
Office: 1-800-523-7282 x 1673
Fax: 610-233-0404
www.fiserv.com

From: Ben N [mailto:bennordlan...@gmail.com]
Sent: Thursday, June 16, 2011 3:22 PM

To: NT System Admin Issues
Subject: Re: Resetting Domain Administrator password - Server 2008 R2

No one else that works here still was a DA. These servers have been off for 
almost a year. I don't want to have to rebuilt AD.+

-Ben
On Thu, Jun 16, 2011 at 12:18 PM, 
mailto:ron.wu...@bnymellon.com>> wrote:
No one else was a DA ?











From:Ben N mailto:bennordlan...@gmail.com>>
To:"NT System Admin Issues" 
mailto:ntsysadmin@lyris.sunbelt-software.com>>
Date:06/16/2011 03:17 PM
Subject:Resetting Domain Administrator password - Server 2008 R2





So i have an old set of servers as VMs. They had their own AD servers as well, 
but no one remembers the logon or work here anymore.

I am trying to go through and reset the the domain administrator account 
password. I have already blanked out the machine useraccount, so i can reboot, 
F8, pick directory restore, and logon that way.

I'm using the srvany.exe method, using a complex password. It doesn't seem to 
work. Anyone have luck with this in the past?

I'm following directions from here:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

But i thought it was odd he had D:\temp\cmd.exe instead of 
c:\windows\system32\cmd.exe...  So i using Robert STrom's script file instead 
and that looks good to me.

I've checked the registry setting for the service, looks good. Service looks 
good, although i had to manually check that interactive option on the Logon 
(2nd) tab.
But every time i boot this server up.. wait a few minutes. my new password 
isn't taking. I wish i knew if there was some kind of error message or 
something so i can see if there is am mistake somewhere.

or i'm open to other ideas on how to do this same thing.

-Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

The information contained in this e-mail, and any attachment, is confidential 
and is intended solely for the use of the intended recipient. Access, copying 
or re-use of the e-mail or any attachment, or any information contained 
therein, by any other person is not authorized. If you are not the intended 
recipient please return the e-mail to the sender and delete it from your 
computer. Although we attempt to sweep e-mail and attachments for viruses, we 
do not guarantee that either are virus-free and accept no liability for any 
damage sustained as a result of viruses.

Please refer to http://disclaimer.bnymellon.com/eu.htm for certain disclosures 
relating to European legal entities.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an ema

Re: Resetting Domain Administrator password - Server 2008 R2

[Steven Peck]

It may just be time to build and document it right as awful as that option
seems to be.  You gain the long term benefit o fknow exactly what the
environment is now.

On Thu, Jun 16, 2011 at 12:31 PM, Ben N  wrote:

> No this is like a onsite user demo environment, but on a bigger scale. 2
> Physical hosts and about a dozen VMs.. it is no way a copy of our production
> AD.
>
>
> On Thu, Jun 16, 2011 at 12:29 PM, Guyer, Don  wrote:
>
>> If this is going to be a copy of your live AD environment, any way you can
>> back the live up to a DVD (or other media) and restore it into this
>> environment?
>>
>> ** **
>>
>> I know, not a “quick” solution…
>>
>> ** **
>>
>> J
>>
>> ** **
>>
>> *Don Guyer*
>>
>> Windows Systems Engineer
>>
>> RIM Operations Engineering Distributed – A Team, Tier 2
>>
>> Enterprise Technology Group
>>
>> *Fiserv*
>>
>> don.gu...@fiserv.com
>>
>> Office: 1-800-523-7282 x 1673
>>
>> Fax: 610-233-0404
>>
>> www.fiserv.com
>>
>> ** **
>>
>> *From:* Ben N [mailto:bennordlan...@gmail.com]
>> *Sent:* Thursday, June 16, 2011 3:22 PM
>>
>> *To:* NT System Admin Issues
>> *Subject:* Re: Resetting Domain Administrator password - Server 2008 R2**
>> **
>>
>> ** **
>>
>> No one else that works here still was a DA. These servers have been off
>> for almost a year. I don't want to have to rebuilt AD.+
>>
>> ** **
>>
>> -Ben
>>
>> On Thu, Jun 16, 2011 at 12:18 PM,  wrote:
>>
>> No one else was a DA ?
>> --
>>
>>  
>>
>> ** **
>>
>>
>>
>>
>>
>> From:Ben N 
>> To:"NT System Admin Issues" <
>> ntsysadmin@lyris.sunbelt-software.com>
>> Date:06/16/2011 03:17 PM
>> Subject:Resetting Domain Administrator password - Server 2008 R2
>> 
>> --
>>
>>
>>
>>
>> So i have an old set of servers as VMs. They had their own AD servers as
>> well, but no one remembers the logon or work here anymore.
>>
>> I am trying to go through and reset the the domain administrator account
>> password. I have already blanked out the machine useraccount, so i can
>> reboot, F8, pick directory restore, and logon that way.
>>
>> I'm using the srvany.exe method, using a complex password. It doesn't seem
>> to work. Anyone have luck with this in the past?
>>
>> I'm following directions from here:
>>
>> http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
>>
>> But i thought it was odd he had D:\temp\cmd.exe instead of
>> c:\windows\system32\cmd.exe...  So i using Robert STrom's script file
>> instead and that looks good to me.
>>
>> I've checked the registry setting for the service, looks good. Service
>> looks good, although i had to manually check that interactive option on the
>> Logon (2nd) tab.
>> But every time i boot this server up.. wait a few minutes. my new password
>> isn't taking. I wish i knew if there was some kind of error message or
>> something so i can see if there is am mistake somewhere.
>>
>> or i'm open to other ideas on how to do this same thing.
>>
>> -Ben 
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin 
>>
>>
>> The information contained in this e-mail, and any attachment, is
>> confidential and is intended solely for the use of the intended recipient.
>> Access, copying or re-use of the e-mail or any attachment, or any
>> information contained therein, by any other person is not authorized. If you
>> are not the intended recipient please return the e-mail to the sender and
>> delete it from your computer. Although we attempt to sweep e-mail and
>> attachments for viruses, we do not guarantee that either are virus-free and
>> accept no liability for any damage sustained as a result of viruses.
>>
>> Please refer to http://disclaimer.bnymellon.com/eu.htm for certain
>> disclosures relating to European legal entities.
>>
>> ** **
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>> ** **
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ 

help with unresponding esx host

[Eldridge, Dave]

I am fighting a hung esx host.

 

Question, I have my view connection server on this  esx host. We are at
the point of hitting the power button on the host.

Anyone know if this will disrupt the vdi clients running?

 

Thanks in advance.

 

dave




This email and any attached files are confidential and intended solely for the 
intended recipient(s). If you are not the named recipient you should not read, 
distribute, copy or alter this email. Any views or opinions expressed in this 
email are those of the author and do not represent those of the  company. 
Warning: Although precautions have been taken to make sure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage that arise from the use of this email or attachments.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Proliant RAID config question

[Eric Wittenberg]

Of all the RAID controllers I've worked with (Proliant server and Dell
PowerEdge) there has never been a problem adding a hotspare. Most will even
allow you to migrate the hotspare into the array (raid 1) and migrate it to
raid 5 while it is live without data loss.

Eric Wittenberg


On Thu, Jun 16, 2011 at 1:31 PM, Paul Gordon wrote:

> I'm building a couple of DL360's that have been delivered with 1 hard drive
> too few... - each should have 3 drives, for a RAID1 plus 1 hot-spare
> config.. - only two drives per server are currently available...
>
> I'm thinking that I Can go ahead & build the RAID1 array, then come back &
> add a hot spare to that later without having to trash & rebuild the whole
> array... - but having been bitten by such assumptions in the past, it would
> be nice to have that confirmed or denied as appropriate..
>
> So does anyone know, - definitely - on a DL360 G7, with embedded
> smart-array
> controller, can I add a hot-spare to an existing array that doesn't
> currently have one, without any effect on the array itself?
>
> TIA
>
> Paul G.
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Fake antivirus

[Tammy Stewart]

Looks like Sept 1 2011.

 

http://clearclouddns.com/

 

If using - may want to set a secondary DNS before anyone forgets. (OpenDNS
might be a decent alternative)

 

Cheers!

 

Tammy

 

  _  

From: David [mailto:blazer...@gmail.com] 
Sent: Thursday, June 16, 2011 2:46 PM
To: NT System Admin Issues
Subject: Re: Fake antivirus

 

I heard Sunbelt is going to discontinue the ClearCloud service -- anyone
know if/when that's going to happen?

David



On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:

I've run into a nice variant of this just this morningthe window is
titled, "Windows Vista Restore" and the caption at the top of the window
says, "PC Performance & Stability analysis report". It is telling me hat the
hard drive is failing and that private data is at risk.

 

When I went into the root of C:. it only showed one file, named
bootsect.bak. After I chose to display all hidden and os files,
viola,everything in C: and on the desktop appeared.

 

What a way to start a Thursday - at least it isn't Monday!

 

JR

On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:

Try setting him up with ClearCloudDNS - might help prevent future
infections.


Roger Wright
___

"Formula for success: rise early, work hard, strike oil." - J. Paul Getty






On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
 wrote:
> Thanks... This particular user is unlucky enough to have teenagers who use
> his computer. My guess is they are visiting infected/hostile/0wned sites
and
> that's how he's getting infected. Never really had a problem when he was
> working here, so I'm suspecting it's some of his grandkids that are
causing
> the problem.
>

> As I have not yet seen the problem, I don't know if it's going to be easy
or
> difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>
> Thanks again!
>
>
>

> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: Friday, June 03, 2011 10:31 AM

> To: NT System Admin Issues
> Subject: Re: Fake antivirus
>

> May be time to invest in some UAT (user awareness training). Continual
> re-infestation either means he is unlucky, or gung-ho in his browsing.
>
> I've had some fake AVs recently which were ridiculously easy to get rid of
> (kill process, delete files, remove autorun entry). Others have been more
> stealthy - such as killing targeted windows like Task Manager. Booting
into
> safe mode usually prevents these extra "features" from bothering you.
>
> But as with everything - a reimage may be the only way to be sure.
> On 3 June 2011 15:26, John Aldrich  wrote:

> I'm going to go to a former co-worker's this afternoon to clean his system
> (again) from another fake antivirus infestation. I've already got Vipre
> Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't
> had to deal with any fake antivirus in a few weeks. Just wondering if they
> have developed any new tricks recently that I should be aware of?
>
> Oh, this user had Vipre Home on his PC, and got infested anyway. Should I
> submit samples to Sunbelt (assuming I can find where they're
quarantined)???
>
> Thanks!
>
>
>
>
>

> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>

> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke
such
> a question."
>
> IMPORTANT: The information in this email is CONFIDENTIAL. If its contents
> are disclosed in any way my lawyers will swoop down from black helicopters
> like Seal Team Six and drag you away with a black bag over your head. They
> will then take you to a secret prison and make you fight to the death with
> other people who dared to share this email. You will be given a large
bowie
> knife and a supply of methamphetamines while I watch the said deathmatch
and
> wager vast sums of money on who will be the winner. If the fight becomes
> boring or there is a stalemate, I will release rabid dogs and my two-stone
> cat into the arena to liven things up a bit. If these animals become in
any
> way docile, I will squirt them with water pistols until they become a bit
> more temperamental.

> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscrip

Re: Resetting Domain Administrator password - Server 2008 R2

[Ben N]

No this is like a onsite user demo environment, but on a bigger scale. 2
Physical hosts and about a dozen VMs.. it is no way a copy of our production
AD.

On Thu, Jun 16, 2011 at 12:29 PM, Guyer, Don  wrote:

> If this is going to be a copy of your live AD environment, any way you can
> back the live up to a DVD (or other media) and restore it into this
> environment?
>
> ** **
>
> I know, not a “quick” solution…
>
> ** **
>
> J
>
> ** **
>
> *Don Guyer*
>
> Windows Systems Engineer
>
> RIM Operations Engineering Distributed – A Team, Tier 2
>
> Enterprise Technology Group
>
> *Fiserv*
>
> don.gu...@fiserv.com
>
> Office: 1-800-523-7282 x 1673
>
> Fax: 610-233-0404
>
> www.fiserv.com
>
> ** **
>
> *From:* Ben N [mailto:bennordlan...@gmail.com]
> *Sent:* Thursday, June 16, 2011 3:22 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Resetting Domain Administrator password - Server 2008 R2***
> *
>
> ** **
>
> No one else that works here still was a DA. These servers have been off for
> almost a year. I don't want to have to rebuilt AD.+
>
> ** **
>
> -Ben
>
> On Thu, Jun 16, 2011 at 12:18 PM,  wrote:
>
> No one else was a DA ?
> --
>
>  
>
> ** **
>
>
>
>
>
> From:Ben N 
> To:"NT System Admin Issues"  >
> Date:06/16/2011 03:17 PM
> Subject:Resetting Domain Administrator password - Server 2008 R2 *
> ***
> --
>
>
>
>
> So i have an old set of servers as VMs. They had their own AD servers as
> well, but no one remembers the logon or work here anymore.
>
> I am trying to go through and reset the the domain administrator account
> password. I have already blanked out the machine useraccount, so i can
> reboot, F8, pick directory restore, and logon that way.
>
> I'm using the srvany.exe method, using a complex password. It doesn't seem
> to work. Anyone have luck with this in the past?
>
> I'm following directions from here:
>
> http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
>
> But i thought it was odd he had D:\temp\cmd.exe instead of
> c:\windows\system32\cmd.exe...  So i using Robert STrom's script file
> instead and that looks good to me.
>
> I've checked the registry setting for the service, looks good. Service
> looks good, although i had to manually check that interactive option on the
> Logon (2nd) tab.
> But every time i boot this server up.. wait a few minutes. my new password
> isn't taking. I wish i knew if there was some kind of error message or
> something so i can see if there is am mistake somewhere.
>
> or i'm open to other ideas on how to do this same thing.
>
> -Ben 
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin 
>
>
> The information contained in this e-mail, and any attachment, is
> confidential and is intended solely for the use of the intended recipient.
> Access, copying or re-use of the e-mail or any attachment, or any
> information contained therein, by any other person is not authorized. If you
> are not the intended recipient please return the e-mail to the sender and
> delete it from your computer. Although we attempt to sweep e-mail and
> attachments for viruses, we do not guarantee that either are virus-free and
> accept no liability for any damage sustained as a result of viruses.
>
> Please refer to http://disclaimer.bnymellon.com/eu.htm for certain
> disclosures relating to European legal entities.
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ** **
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.

Proliant RAID config question

[Paul Gordon]

I'm building a couple of DL360's that have been delivered with 1 hard drive
too few... - each should have 3 drives, for a RAID1 plus 1 hot-spare
config.. - only two drives per server are currently available...

I'm thinking that I Can go ahead & build the RAID1 array, then come back &
add a hot spare to that later without having to trash & rebuild the whole
array... - but having been bitten by such assumptions in the past, it would
be nice to have that confirmed or denied as appropriate..

So does anyone know, - definitely - on a DL360 G7, with embedded smart-array
controller, can I add a hot-spare to an existing array that doesn't
currently have one, without any effect on the array itself?

TIA

Paul G.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Resetting Domain Administrator password - Server 2008 R2

[Guyer, Don]

If this is going to be a copy of your live AD environment, any way you
can back the live up to a DVD (or other media) and restore it into this
environment?

 

I know, not a "quick" solution...

 

J

 

Don Guyer

Windows Systems Engineer

RIM Operations Engineering Distributed - A Team, Tier 2

Enterprise Technology Group

Fiserv

don.gu...@fiserv.com

Office: 1-800-523-7282 x 1673

Fax: 610-233-0404

www.fiserv.com  

 

From: Ben N [mailto:bennordlan...@gmail.com] 
Sent: Thursday, June 16, 2011 3:22 PM
To: NT System Admin Issues
Subject: Re: Resetting Domain Administrator password - Server 2008 R2

 

No one else that works here still was a DA. These servers have been off
for almost a year. I don't want to have to rebuilt AD.+

 

-Ben

On Thu, Jun 16, 2011 at 12:18 PM,  wrote:

No one else was a DA ?



 

 

  



From:Ben N  
To:"NT System Admin Issues"
 
Date:06/16/2011 03:17 PM 
Subject:Resetting Domain Administrator password - Server 2008 R2







So i have an old set of servers as VMs. They had their own AD servers as
well, but no one remembers the logon or work here anymore. 

I am trying to go through and reset the the domain administrator account
password. I have already blanked out the machine useraccount, so i can
reboot, F8, pick directory restore, and logon that way. 

I'm using the srvany.exe method, using a complex password. It doesn't
seem to work. Anyone have luck with this in the past? 

I'm following directions from here: 
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_200
3_ad.htm 

But i thought it was odd he had D:\temp\cmd.exe instead of
c:\windows\system32\cmd.exe...  So i using Robert STrom's script file
instead and that looks good to me. 

I've checked the registry setting for the service, looks good. Service
looks good, although i had to manually check that interactive option on
the Logon (2nd) tab. 
But every time i boot this server up.. wait a few minutes. my new
password isn't taking. I wish i knew if there was some kind of error
message or something so i can see if there is am mistake somewhere. 

or i'm open to other ideas on how to do this same thing. 

-Ben 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin 


The information contained in this e-mail, and any attachment, is
confidential and is intended solely for the use of the intended
recipient. Access, copying or re-use of the e-mail or any attachment, or
any information contained therein, by any other person is not
authorized. If you are not the intended recipient please return the
e-mail to the sender and delete it from your computer. Although we
attempt to sweep e-mail and attachments for viruses, we do not guarantee
that either are virus-free and accept no liability for any damage
sustained as a result of viruses. 

Please refer to http://disclaimer.bnymellon.com/eu.htm for certain
disclosures relating to European legal entities.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Resetting Domain Administrator password - Server 2008 R2

[Ben N]

No one else that works here still was a DA. These servers have been off for
almost a year. I don't want to have to rebuilt AD.+

-Ben

On Thu, Jun 16, 2011 at 12:18 PM,  wrote:

> No one else was a DA ?
>--
>
>
>
>
>
>
>
> From:Ben N 
> To:"NT System Admin Issues"  >
> Date:06/16/2011 03:17 PM
> Subject:Resetting Domain Administrator password - Server 2008 R2
> --
>
>
>
> So i have an old set of servers as VMs. They had their own AD servers as
> well, but no one remembers the logon or work here anymore.
>
> I am trying to go through and reset the the domain administrator account
> password. I have already blanked out the machine useraccount, so i can
> reboot, F8, pick directory restore, and logon that way.
>
> I'm using the srvany.exe method, using a complex password. It doesn't seem
> to work. Anyone have luck with this in the past?
>
> I'm following directions from here:
> *
> http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
> *
>
> But i thought it was odd he had D:\temp\cmd.exe instead of
> c:\windows\system32\cmd.exe...  So i using Robert STrom's script file
> instead and that looks good to me.
>
> I've checked the registry setting for the service, looks good. Service
> looks good, although i had to manually check that interactive option on the
> Logon (2nd) tab.
> But every time i boot this server up.. wait a few minutes. my new password
> isn't taking. I wish i knew if there was some kind of error message or
> something so i can see if there is am mistake somewhere.
>
> or i'm open to other ideas on how to do this same thing.
>
> -Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ 
> <*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*>
>  ~
>
> ---
> To manage subscriptions click here: *
> http://lyris.sunbelt-software.com/read/my_forums/*
> or send an email to 
> *listmana...@lyris.sunbeltsoftware.com*
> with the body: unsubscribe ntsysadmin
>
>
> The information contained in this e-mail, and any attachment, is
> confidential and is intended solely for the use of the intended recipient.
> Access, copying or re-use of the e-mail or any attachment, or any
> information contained therein, by any other person is not authorized. If you
> are not the intended recipient please return the e-mail to the sender and
> delete it from your computer. Although we attempt to sweep e-mail and
> attachments for viruses, we do not guarantee that either are virus-free and
> accept no liability for any damage sustained as a result of viruses.
>
> Please refer to http://disclaimer.bnymellon.com/eu.htm for certain
> disclosures relating to European legal entities.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Hiding Outlook 2003 Icon

[kz20fl]

I would use NTFS perms or a redirected Start Menu GPO

Sent from my BlackBerry® wireless device

-Original Message-
From: "Ralph Smith" 
Date: Thu, 16 Jun 2011 14:56:57 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: RE: Hiding Outlook 2003 Icon

That should work. 

 



From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Thursday, June 16, 2011 12:14 PM
To: NT System Admin Issues
Subject: RE: Hiding Outlook 2003 Icon

 

 

Change the permission on the icon.

 

 

 

Carl Webster

Consultant and Citrix Technology Professional

http://dabcc.com/Webster

 

 

From: Robert Jackson [mailto:r...@walkermartyn.co.uk] 
Subject: Hiding Outlook 2003 Icon

 

I have setup an x64 Windows 2003 Server (Standard Edition) running
Terminal Services and have installed M$ Office 2003. What I now want to
do is stop a group of users on this server from seeing and therefore
being able to run the MS Outlook 2003 icon in the Start Menu.

 

Anyone know of a way? Is there a GPO etc.?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


Confidentiality Notice: 
---
This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Resetting Domain Administrator password - Server 2008 R2

[Ron . Wulff]

No one else was a DA ?



 

 



From:   Ben N 
To: "NT System Admin Issues" 
Date:   06/16/2011 03:17 PM
Subject:Resetting Domain Administrator password - Server 2008 R2



So i have an old set of servers as VMs. They had their own AD servers as 
well, but no one remembers the logon or work here anymore.

I am trying to go through and reset the the domain administrator account 
password. I have already blanked out the machine useraccount, so i can 
reboot, F8, pick directory restore, and logon that way.

I'm using the srvany.exe method, using a complex password. It doesn't seem 
to work. Anyone have luck with this in the past?

I'm following directions from here:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

But i thought it was odd he had D:\temp\cmd.exe instead of 
c:\windows\system32\cmd.exe...  So i using Robert STrom's script file 
instead and that looks good to me.

I've checked the registry setting for the service, looks good. Service 
looks good, although i had to manually check that interactive option on 
the Logon (2nd) tab.
But every time i boot this server up.. wait a few minutes. my new password 
isn't taking. I wish i knew if there was some kind of error message or 
something so i can see if there is am mistake somewhere.

or i'm open to other ideas on how to do this same thing.

-Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


The information contained in this e-mail, and any attachment, is confidential 
and is intended solely for the use of the intended recipient. Access, copying 
or re-use of the e-mail or any attachment, or any information contained 
therein, by any other person is not authorized. If you are not the intended 
recipient please return the e-mail to the sender and delete it from your 
computer. Although we attempt to sweep e-mail and attachments for viruses, we 
do not guarantee that either are virus-free and accept no liability for any 
damage sustained as a result of viruses. 

Please refer to http://disclaimer.bnymellon.com/eu.htm for certain disclosures 
relating to European legal entities.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Resetting Domain Administrator password - Server 2008 R2

[Ben N]

So i have an old set of servers as VMs. They had their own AD servers as
well, but no one remembers the logon or work here anymore.

I am trying to go through and reset the the domain administrator account
password. I have already blanked out the machine useraccount, so i can
reboot, F8, pick directory restore, and logon that way.

I'm using the srvany.exe method, using a complex password. It doesn't seem
to work. Anyone have luck with this in the past?

I'm following directions from here:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm

But i thought it was odd he had D:\temp\cmd.exe instead of
c:\windows\system32\cmd.exe...  So i using Robert STrom's script file
instead and that looks good to me.

I've checked the registry setting for the service, looks good. Service looks
good, although i had to manually check that interactive option on the Logon
(2nd) tab.
But every time i boot this server up.. wait a few minutes. my new password
isn't taking. I wish i knew if there was some kind of error message or
something so i can see if there is am mistake somewhere.

or i'm open to other ideas on how to do this same thing.

-Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Hiding Outlook 2003 Icon

[Ralph Smith]

That should work. 

 



From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Thursday, June 16, 2011 12:14 PM
To: NT System Admin Issues
Subject: RE: Hiding Outlook 2003 Icon

 

 

Change the permission on the icon.

 

 

 

Carl Webster

Consultant and Citrix Technology Professional

http://dabcc.com/Webster

 

 

From: Robert Jackson [mailto:r...@walkermartyn.co.uk] 
Subject: Hiding Outlook 2003 Icon

 

I have setup an x64 Windows 2003 Server (Standard Edition) running
Terminal Services and have installed M$ Office 2003. What I now want to
do is stop a group of users on this server from seeing and therefore
being able to run the MS Outlook 2003 icon in the Start Menu.

 

Anyone know of a way? Is there a GPO etc.?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


Confidentiality Notice: 
---
This communication, including any attachments, may contain confidential 
information and is intended only for the individual or entity to whom it is 
addressed. Any review, dissemination, or copying of this communication by 
anyone other than the intended recipient is strictly prohibited. If you are not 
the intended recipient, please contact the sender by reply email, delete and 
destroy all copies of the original message.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Fake antivirus

[David]

I heard Sunbelt is going to discontinue the ClearCloud service -- anyone
know if/when that's going to happen?

David


On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:

> I've run into a nice variant of this just this morningthe window is
> titled, "Windows Vista Restore" and the caption at the top of the window
> says, "PC Performance & Stability analysis report". It is telling me hat the
> hard drive is failing and that private data is at risk.
>
> When I went into the root of C:. it only showed one file, named
> bootsect.bak. After I chose to display all hidden and os files,
> viola,everything in C: and on the desktop appeared.
>
> What a way to start a Thursday - at least it isn't Monday!
>
> JR
>
> On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
>
>> Try setting him up with ClearCloudDNS - might help prevent future
>> infections.
>>
>>
>> Roger Wright
>> ___
>>
>> "Formula for success: rise early, work hard, strike oil." - J. Paul Getty
>>
>>
>>
>>
>>
>> On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
>>  wrote:
>> > Thanks... This particular user is unlucky enough to have teenagers who
>> use
>> > his computer. My guess is they are visiting infected/hostile/0wned sites
>> and
>> > that's how he's getting infected. Never really had a problem when he was
>> > working here, so I'm suspecting it's some of his grandkids that are
>> causing
>> > the problem.
>> >
>> > As I have not yet seen the problem, I don't know if it's going to be
>> easy or
>> > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>> >
>> > Thanks again!
>> >
>> >
>> >
>> > From: James Rankin [mailto:kz2...@googlemail.com]
>> > Sent: Friday, June 03, 2011 10:31 AM
>> > To: NT System Admin Issues
>> > Subject: Re: Fake antivirus
>> >
>> > May be time to invest in some UAT (user awareness training). Continual
>> > re-infestation either means he is unlucky, or gung-ho in his browsing.
>> >
>> > I've had some fake AVs recently which were ridiculously easy to get rid
>> of
>> > (kill process, delete files, remove autorun entry). Others have been
>> more
>> > stealthy - such as killing targeted windows like Task Manager. Booting
>> into
>> > safe mode usually prevents these extra "features" from bothering you.
>> >
>> > But as with everything - a reimage may be the only way to be sure.
>> > On 3 June 2011 15:26, John Aldrich 
>> wrote:
>> > I'm going to go to a former co-worker's this afternoon to clean his
>> system
>> > (again) from another fake antivirus infestation. I've already got Vipre
>> > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I
>> haven't
>> > had to deal with any fake antivirus in a few weeks. Just wondering if
>> they
>> > have developed any new tricks recently that I should be aware of?
>> >
>> > Oh, this user had Vipre Home on his PC, and got infested anyway. Should
>> I
>> > submit samples to Sunbelt (assuming I can find where they're
>> quarantined)???
>> >
>> > Thanks!
>> >
>> >
>> >
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>> >
>> >
>> >
>> > --
>> > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>> into
>> > the machine wrong figures, will the right answers come out?' I am not
>> able
>> > rightly to apprehend the kind of confusion of ideas that could provoke
>> such
>> > a question."
>> >
>> > IMPORTANT: The information in this email is CONFIDENTIAL. If its
>> contents
>> > are disclosed in any way my lawyers will swoop down from black
>> helicopters
>> > like Seal Team Six and drag you away with a black bag over your head.
>> They
>> > will then take you to a secret prison and make you fight to the death
>> with
>> > other people who dared to share this email. You will be given a large
>> bowie
>> > knife and a supply of methamphetamines while I watch the said deathmatch
>> and
>> > wager vast sums of money on who will be the winner. If the fight becomes
>> > boring or there is a stalemate, I will release rabid dogs and my
>> two-stone
>> > cat into the arena to liven things up a bit. If these animals become in
>> any
>> > way docile, I will squirt them with water pistols until they become a
>> bit
>> > more temperamental.
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>

Re: Determine who has VPN access?

[Eric Brouwer]

Dude.  You are awesome!  Thanks so much for this.  HUGE help.

And thanks for the other feedback as well.  As always, much appreciated.

On Thu, Jun 16, 2011 at 11:05 AM, Mike Wiebke  wrote:
> You can do this with a saved query in ADUC.  Just create a new query and 
> select
> "Custom Search" for the query type.  Click on the Advanced tab and enter
> msNPAllowDialIn=TRUE for the query.  I think this is case sensitive .
>
> Mike W.
>
>
>
>
> - Original Message 
> From: Eric Brouwer 
> To: NT System Admin Issues 
> Sent: Thu, June 16, 2011 9:29:57 AM
> Subject: Determine who has VPN access?
>
> Greetings!
>
> I have a Windows 2003 Server configured for VPN access.  Is there a
> way to determine what users/groups have the Dial-In/VPN right outside
> of going through each user in Active Directory?
>
> Thank you,
>
> Eric
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Default C: drive permissions

[Ben Scott]

On Wed, Jun 15, 2011 at 11:28 AM, James Rankin  wrote:
> I agree, particularly in a Terminal Services environment. But I have just
> checked a 2003 R2 server and found the same thing.

  Indeed.  The permissions you see have been the default since Win
2000, IIRC (basically "forever").  We have long had a Group Policy in
place to remove them.  Users shouldn't be able to scribble in random
places.

  Another location that has default write permissions but shouldn't is
"All Users".  (Luser downloads and runs malware.  Malware compromises
something under "All Users".  Admin logs in to PC to fix malware.
Malware now runs with admin privileges.)  We fix that, too.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Hiding Outlook 2003 Icon

[Eric Wittenberg]

If you set the Start menu item for Outlook to hidden it will not show up
when you display the Start Menu.

Eric Wittenberg


On Thu, Jun 16, 2011 at 10:03 AM, Robert Jackson wrote:

> I have setup an x64 Windows 2003 Server (Standard Edition) running Terminal
> Services and have installed M$ Office 2003. What I now want to do is stop a
> group of users on this server from seeing and therefore being able to run
> the MS Outlook 2003 icon in the Start Menu.
>
>
>
> Anyone know of a way? Is there a GPO etc.?
>
>
>
>
>
> Regards,
>
> Rab.
>
> =
>
> Robert Jackson  Phone: +44 (0) 141 332
> 7999
>
> IT Manager   Fax: +44 (0) 141 331
> 2820
>
> Walker Martyn Ltd
>
> 1 Park Circus PlaceEmail:
> r...@walkermartyn.co.uk
>
> Glasgow G3 6AH, Scotland   Web:
> http://www.walkermartyn.co.uk
>
> =
>
>
>
> 
>
> The information in this internet E-mail is confidential and is intended
> solely for the addressee. Access, copying or re-use of information in it by
> anyone else is unauthorised. Any views or opinions presented are solely
> those of the author and do not necessarily represent those of Walker Martyn
> Ltd or any of its affiliates. If you are not the intended recipient please
> contact administra...@walkermartyn.co.uk.
>
> Walker Martyn Ltd, company number SC197533. Company is registered in
> Scotland and has its registered office at 1 Park Circus Place, Glasgow G3
> 6AH, UK.
>
> 
>  <#1309932ef7b165d5_>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Hiding Outlook 2003 Icon

[John Cook]

How about an explicit deny on the folder/exe?

 John W. Cook
System Administrator
Partnership For Strong Families
5950 NW 1st Place
Gainesville, Fl 32607
Office (352) 244-1610
Cell (352) 215-6944
MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4

From: Robert Jackson [mailto:r...@walkermartyn.co.uk]
Sent: Thursday, June 16, 2011 12:04 PM
To: NT System Admin Issues
Subject: Hiding Outlook 2003 Icon

I have setup an x64 Windows 2003 Server (Standard Edition) running Terminal 
Services and have installed M$ Office 2003. What I now want to do is stop a 
group of users on this server from seeing and therefore being able to run the 
MS Outlook 2003 icon in the Start Menu.

Anyone know of a way? Is there a GPO etc.?


Regards,
Rab.
=
Robert Jackson  Phone: +44 (0) 141 332 7999
IT Manager   Fax: +44 (0) 141 331 2820
Walker Martyn Ltd
1 Park Circus PlaceEmail: 
r...@walkermartyn.co.uk
Glasgow G3 6AH, Scotland   Web: 
http://www.walkermartyn.co.uk
=




The information in this internet E-mail is confidential and is intended solely 
for the addressee. Access, copying or re-use of information in it by anyone 
else is unauthorised. Any views or opinions presented are solely those of the 
author and do not necessarily represent those of Walker Martyn Ltd or any of 
its affiliates. If you are not the intended recipient please contact 
administra...@walkermartyn.co.uk.

Walker Martyn Ltd, company number SC197533. Company is registered in Scotland 
and has its registered office at 1 Park Circus Place, Glasgow G3 6AH, UK.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.

This email and any attached files are confidential and intended solely for the 
intended recipient(s). If you are not the named recipient you should not read, 
distribute, copy or alter this email. Any views or opinions expressed in this 
email are those of the author and do not represent those of the company. 
Warning: Although precautions have been taken to make sure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage that arise from the use of this email or attachments.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Hiding Outlook 2003 Icon

[Sam Cayze]

Just delete the Shortcut in the All Users Start Menu folder?

 

From: Robert Jackson [mailto:r...@walkermartyn.co.uk] 
Sent: Thursday, June 16, 2011 11:04 AM
To: NT System Admin Issues
Subject: Hiding Outlook 2003 Icon

 

I have setup an x64 Windows 2003 Server (Standard Edition) running Terminal
Services and have installed M$ Office 2003. What I now want to do is stop a
group of users on this server from seeing and therefore being able to run
the MS Outlook 2003 icon in the Start Menu.

 

Anyone know of a way? Is there a GPO etc.?

 

 

Regards,

Rab.

=

Robert Jackson  Phone: +44 (0) 141 332 7999

IT Manager   Fax: +44 (0) 141 331
2820

Walker Martyn Ltd

1 Park Circus PlaceEmail:
 r...@walkermartyn.co.uk

Glasgow G3 6AH, Scotland   Web:
 http://www.walkermartyn.co.uk

=

 

 

The information in this internet E-mail is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it by
anyone else is unauthorised. Any views or opinions presented are solely
those of the author and do not necessarily represent those of Walker Martyn
Ltd or any of its affiliates. If you are not the intended recipient please
contact administra...@walkermartyn.co.uk.

Walker Martyn Ltd, company number SC197533. Company is registered in
Scotland and has its registered office at 1 Park Circus Place, Glasgow G3
6AH, UK.

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Hiding Outlook 2003 Icon

[Webster]

 

Change the permission on the icon.

 

 

 

Carl Webster

Consultant and Citrix Technology Professional

  http://dabcc.com/Webster

 

 

From: Robert Jackson [mailto:r...@walkermartyn.co.uk] 
Subject: Hiding Outlook 2003 Icon

 

I have setup an x64 Windows 2003 Server (Standard Edition) running Terminal
Services and have installed M$ Office 2003. What I now want to do is stop a
group of users on this server from seeing and therefore being able to run
the MS Outlook 2003 icon in the Start Menu.

 

Anyone know of a way? Is there a GPO etc.?


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Hiding Outlook 2003 Icon

[Kennedy, Jim]

I don't have an answer on hiding the icon, but how about a gpo software 
restriction policy that does not let them run outlook.exe? They will click the 
icon and get a deny message.

From: Robert Jackson [mailto:r...@walkermartyn.co.uk]
Sent: Thursday, June 16, 2011 12:04 PM
To: NT System Admin Issues
Subject: Hiding Outlook 2003 Icon

I have setup an x64 Windows 2003 Server (Standard Edition) running Terminal 
Services and have installed M$ Office 2003. What I now want to do is stop a 
group of users on this server from seeing and therefore being able to run the 
MS Outlook 2003 icon in the Start Menu.

Anyone know of a way? Is there a GPO etc.?


Regards,
Rab.
=
Robert Jackson  Phone: +44 (0) 141 332 7999
IT Manager   Fax: +44 (0) 141 331 2820
Walker Martyn Ltd
1 Park Circus PlaceEmail: 
r...@walkermartyn.co.uk
Glasgow G3 6AH, Scotland   Web: 
http://www.walkermartyn.co.uk
=




The information in this internet E-mail is confidential and is intended solely 
for the addressee. Access, copying or re-use of information in it by anyone 
else is unauthorised. Any views or opinions presented are solely those of the 
author and do not necessarily represent those of Walker Martyn Ltd or any of 
its affiliates. If you are not the intended recipient please contact 
administra...@walkermartyn.co.uk.

Walker Martyn Ltd, company number SC197533. Company is registered in Scotland 
and has its registered office at 1 Park Circus Place, Glasgow G3 6AH, UK.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Fake antivirus

[Tammy Stewart]

Good to hear Mike,

 

Just in case some others missed it -

http://supportforums.sunbeltsoftware.com/messageview.aspx?catid=76
 &threadid=7944&enterthread=y

 

If still getting redirects after the rogue exes have been removed - it is
usually volsnap.sys that is compromised. Replacing with known good copy from
recovery console/barts/UBCD/etc will take care of that issue.

 

If still active - avoid logging in with admin privs if possible & use
process explorer to kill the rogue, rename it etc. (run as)
Logging in with admin privs will surely mangle volsnap.sys.

 

Cheers!

 

Tammy

 

  _  

From: Mike Sullivan [mailto:neog...@gmail.com] 
Sent: Thursday, June 16, 2011 10:12 AM
To: NT System Admin Issues
Subject: Re: Fake antivirus

 

I ran into this on Monday, at least I have my users locked down and they
only saw the message that the hard drive was failing and their shortcuts
disappeared. I followed Tammy's instructions and had it cleaned up pronto! 

On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:

I've run into a nice variant of this just this morningthe window is
titled, "Windows Vista Restore" and the caption at the top of the window
says, "PC Performance & Stability analysis report". It is telling me hat the
hard drive is failing and that private data is at risk.

 

When I went into the root of C:. it only showed one file, named
bootsect.bak. After I chose to display all hidden and os files,
viola,everything in C: and on the desktop appeared.

 

What a way to start a Thursday - at least it isn't Monday!

 

JR

On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:

Try setting him up with ClearCloudDNS - might help prevent future
infections.


Roger Wright
___

"Formula for success: rise early, work hard, strike oil." - J. Paul Getty






On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
 wrote:
> Thanks... This particular user is unlucky enough to have teenagers who use
> his computer. My guess is they are visiting infected/hostile/0wned sites
and
> that's how he's getting infected. Never really had a problem when he was
> working here, so I'm suspecting it's some of his grandkids that are
causing
> the problem.
>

> As I have not yet seen the problem, I don't know if it's going to be easy
or
> difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>
> Thanks again!
>
>
>

> From: James Rankin [mailto:kz2...@googlemail.com]
> Sent: Friday, June 03, 2011 10:31 AM

> To: NT System Admin Issues
> Subject: Re: Fake antivirus
>

> May be time to invest in some UAT (user awareness training). Continual
> re-infestation either means he is unlucky, or gung-ho in his browsing.
>
> I've had some fake AVs recently which were ridiculously easy to get rid of
> (kill process, delete files, remove autorun entry). Others have been more
> stealthy - such as killing targeted windows like Task Manager. Booting
into
> safe mode usually prevents these extra "features" from bothering you.
>
> But as with everything - a reimage may be the only way to be sure.
> On 3 June 2011 15:26, John Aldrich  wrote:

> I'm going to go to a former co-worker's this afternoon to clean his system
> (again) from another fake antivirus infestation. I've already got Vipre
> Rescue and Malware Bytes on a memory stick. I've also got RKILL. I haven't
> had to deal with any fake antivirus in a few weeks. Just wondering if they
> have developed any new tricks recently that I should be aware of?
>
> Oh, this user had Vipre Home on his PC, and got infested anyway. Should I
> submit samples to Sunbelt (assuming I can find where they're
quarantined)???
>
> Thanks!
>
>
>
>
>

> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
>

> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke
such
> a question."
>
> IMPORTANT: The information in this email is CONFIDENTIAL. If its contents
> are disclosed in any way my lawyers will swoop down from black helicopters
> like Seal Team Six and drag you away with a black bag over your head. They
> will then take you to a secret prison and make you fight to the death with
> other people who dared to share this email. You will be given a large
bowie
> knife and a supply of methamphetamines while I watch the said deathmatch
and
> wager vast sums of money on who will be the winner. If the fight becomes
> boring or there is a stalemate, I will release rabid dogs and my two-stone
> cat into the arena to liven things up a bit. If these animals bec

Hiding Outlook 2003 Icon

[Robert Jackson]

I have setup an x64 Windows 2003 Server (Standard Edition) running
Terminal Services and have installed M$ Office 2003. What I now want to
do is stop a group of users on this server from seeing and therefore
being able to run the MS Outlook 2003 icon in the Start Menu.

 

Anyone know of a way? Is there a GPO etc.?

 

 

Regards,

Rab.

=

Robert Jackson  Phone: +44 (0) 141 332
7999

IT Manager   Fax: +44 (0) 141
331 2820

Walker Martyn Ltd

1 Park Circus PlaceEmail:
r...@walkermartyn.co.uk  

Glasgow G3 6AH, Scotland   Web:
http://www.walkermartyn.co.uk  

=

 





The information in this internet E-mail is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it
by anyone else is unauthorised. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
Walker Martyn Ltd or any of its affiliates. If you are not the
intended recipient please contact  administra...@walkermartyn.co.uk

Walker Martyn Ltd, company number SC197533. Company is 
registered in Scotland and has its registered office at 1 Park
Circus Place, Glasgow G3 6AH, UK.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Fake antivirus

[Jonathan]

TrueBut on another note...

THAT my friend, is one AWESOME disclaimer!

JR

On Thu, Jun 16, 2011 at 10:14 AM, James Rankin wrote:

> Application whitelisting saves me from annoyances like this, generally
>
>
> On 16 June 2011 15:11, Mike Sullivan  wrote:
>
>> I ran into this on Monday, at least I have my users locked down and they
>> only saw the message that the hard drive was failing and their shortcuts
>> disappeared. I followed Tammy's instructions and had it cleaned up pronto!
>>
>>
>> On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:
>>
>>> I've run into a nice variant of this just this morningthe window is
>>> titled, "Windows Vista Restore" and the caption at the top of the window
>>> says, "PC Performance & Stability analysis report". It is telling me hat the
>>> hard drive is failing and that private data is at risk.
>>>
>>> When I went into the root of C:. it only showed one file, named
>>> bootsect.bak. After I chose to display all hidden and os files,
>>> viola,everything in C: and on the desktop appeared.
>>>
>>> What a way to start a Thursday - at least it isn't Monday!
>>>
>>> JR
>>>
>>> On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
>>>
 Try setting him up with ClearCloudDNS - might help prevent future
 infections.


 Roger Wright
 ___

 "Formula for success: rise early, work hard, strike oil." - J. Paul
 Getty





 On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
  wrote:
 > Thanks... This particular user is unlucky enough to have teenagers who
 use
 > his computer. My guess is they are visiting infected/hostile/0wned
 sites and
 > that's how he's getting infected. Never really had a problem when he
 was
 > working here, so I'm suspecting it's some of his grandkids that are
 causing
 > the problem.
 >
 > As I have not yet seen the problem, I don't know if it's going to be
 easy or
 > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
 >
 > Thanks again!
 >
 >
 >
 > From: James Rankin [mailto:kz2...@googlemail.com]
 > Sent: Friday, June 03, 2011 10:31 AM
 > To: NT System Admin Issues
 > Subject: Re: Fake antivirus
 >
 > May be time to invest in some UAT (user awareness training). Continual
 > re-infestation either means he is unlucky, or gung-ho in his browsing.
 >
 > I've had some fake AVs recently which were ridiculously easy to get
 rid of
 > (kill process, delete files, remove autorun entry). Others have been
 more
 > stealthy - such as killing targeted windows like Task Manager. Booting
 into
 > safe mode usually prevents these extra "features" from bothering you.
 >
 > But as with everything - a reimage may be the only way to be sure.
 > On 3 June 2011 15:26, John Aldrich 
 wrote:
 > I'm going to go to a former co-worker's this afternoon to clean his
 system
 > (again) from another fake antivirus infestation. I've already got
 Vipre
 > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I
 haven't
 > had to deal with any fake antivirus in a few weeks. Just wondering if
 they
 > have developed any new tricks recently that I should be aware of?
 >
 > Oh, this user had Vipre Home on his PC, and got infested anyway.
 Should I
 > submit samples to Sunbelt (assuming I can find where they're
 quarantined)???
 >
 > Thanks!
 >
 >
 >
 >
 >
 > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 > ~   ~
 >
 > ---
 > To manage subscriptions click here:
 > http://lyris.sunbelt-software.com/read/my_forums/
 > or send an email to listmana...@lyris.sunbeltsoftware.com
 > with the body: unsubscribe ntsysadmin
 >
 >
 >
 > --
 > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
 into
 > the machine wrong figures, will the right answers come out?' I am not
 able
 > rightly to apprehend the kind of confusion of ideas that could provoke
 such
 > a question."
 >
 > IMPORTANT: The information in this email is CONFIDENTIAL. If its
 contents
 > are disclosed in any way my lawyers will swoop down from black
 helicopters
 > like Seal Team Six and drag you away with a black bag over your head.
 They
 > will then take you to a secret prison and make you fight to the death
 with
 > other people who dared to share this email. You will be given a large
 bowie
 > knife and a supply of methamphetamines while I watch the said
 deathmatch and
 > wager vast sums of money on who will be the winner. If the fight
 becomes
 > boring or there is a stalemate, I will release rabid dogs and my
 two-stone
 > cat into the arena to liven things up a bit. If th

RE: Image Editing software

[Steven M. Caesare]

+1. 

And built it myself[1] from a kit.

-sc

[1] Well, with my Dad.


> -Original Message-
> From: Rankin, James R [mailto:kz2...@googlemail.com]
> Sent: Thursday, June 09, 2011 6:54 PM
> To: NT System Admin Issues
> Subject: Re: Image Editing software
> 
> I used to live a fulfilled electronic life using a 1K ZX81
> 
> --Original Message--
> From: Michael B. Smith
> To: NT System Admin Issues
> ReplyTo: NT System Admin Issues
> Subject: RE: Image Editing software
> Sent: 9 Jun 2011 23:45
> 
> Who needs more than 640K?
> 
> Regards,
> 
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
> 
> 
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, June 09, 2011 6:34 PM
> To: NT System Admin Issues
> Subject: Re: Image Editing software
> 
> On Thu, Jun 9, 2011 at 2:56 PM, Kennedy, Jim
>  wrote:
> > But the bottom line is Adobe imaging products just don't play well
in
> > a network environment. They still strongly recommend against editing
a
> > file on a server with Photoshop, they say copy it locally first.
> 
>   This "network" idea will never take off anyway.
> 
> -- Ben
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here: http://lyris.sunbelt-
> software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here: http://lyris.sunbelt-
> software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
> 
> 
> Typed frustratingly slowly on my BlackBerry(r) wireless device ~
Finally,
> powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
> 
> ---
> To manage subscriptions click here: http://lyris.sunbelt-
> software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Fake antivirus

[Jonathan]

+100 for Tammy's instructions!

JR

On Thu, Jun 16, 2011 at 10:11 AM, Mike Sullivan  wrote:

> I ran into this on Monday, at least I have my users locked down and they
> only saw the message that the hard drive was failing and their shortcuts
> disappeared. I followed Tammy's instructions and had it cleaned up pronto!
>
>
> On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:
>
>> I've run into a nice variant of this just this morningthe window is
>> titled, "Windows Vista Restore" and the caption at the top of the window
>> says, "PC Performance & Stability analysis report". It is telling me hat the
>> hard drive is failing and that private data is at risk.
>>
>> When I went into the root of C:. it only showed one file, named
>> bootsect.bak. After I chose to display all hidden and os files,
>> viola,everything in C: and on the desktop appeared.
>>
>> What a way to start a Thursday - at least it isn't Monday!
>>
>> JR
>>
>> On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
>>
>>> Try setting him up with ClearCloudDNS - might help prevent future
>>> infections.
>>>
>>>
>>> Roger Wright
>>> ___
>>>
>>> "Formula for success: rise early, work hard, strike oil." - J. Paul Getty
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
>>>  wrote:
>>> > Thanks... This particular user is unlucky enough to have teenagers who
>>> use
>>> > his computer. My guess is they are visiting infected/hostile/0wned
>>> sites and
>>> > that's how he's getting infected. Never really had a problem when he
>>> was
>>> > working here, so I'm suspecting it's some of his grandkids that are
>>> causing
>>> > the problem.
>>> >
>>> > As I have not yet seen the problem, I don't know if it's going to be
>>> easy or
>>> > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>>> >
>>> > Thanks again!
>>> >
>>> >
>>> >
>>> > From: James Rankin [mailto:kz2...@googlemail.com]
>>> > Sent: Friday, June 03, 2011 10:31 AM
>>> > To: NT System Admin Issues
>>> > Subject: Re: Fake antivirus
>>> >
>>> > May be time to invest in some UAT (user awareness training). Continual
>>> > re-infestation either means he is unlucky, or gung-ho in his browsing.
>>> >
>>> > I've had some fake AVs recently which were ridiculously easy to get rid
>>> of
>>> > (kill process, delete files, remove autorun entry). Others have been
>>> more
>>> > stealthy - such as killing targeted windows like Task Manager. Booting
>>> into
>>> > safe mode usually prevents these extra "features" from bothering you.
>>> >
>>> > But as with everything - a reimage may be the only way to be sure.
>>> > On 3 June 2011 15:26, John Aldrich 
>>> wrote:
>>> > I'm going to go to a former co-worker's this afternoon to clean his
>>> system
>>> > (again) from another fake antivirus infestation. I've already got Vipre
>>> > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I
>>> haven't
>>> > had to deal with any fake antivirus in a few weeks. Just wondering if
>>> they
>>> > have developed any new tricks recently that I should be aware of?
>>> >
>>> > Oh, this user had Vipre Home on his PC, and got infested anyway. Should
>>> I
>>> > submit samples to Sunbelt (assuming I can find where they're
>>> quarantined)???
>>> >
>>> > Thanks!
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~   ~
>>> >
>>> > ---
>>> > To manage subscriptions click here:
>>> > http://lyris.sunbelt-software.com/read/my_forums/
>>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>>> > with the body: unsubscribe ntsysadmin
>>> >
>>> >
>>> >
>>> > --
>>> > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>>> into
>>> > the machine wrong figures, will the right answers come out?' I am not
>>> able
>>> > rightly to apprehend the kind of confusion of ideas that could provoke
>>> such
>>> > a question."
>>> >
>>> > IMPORTANT: The information in this email is CONFIDENTIAL. If its
>>> contents
>>> > are disclosed in any way my lawyers will swoop down from black
>>> helicopters
>>> > like Seal Team Six and drag you away with a black bag over your head.
>>> They
>>> > will then take you to a secret prison and make you fight to the death
>>> with
>>> > other people who dared to share this email. You will be given a large
>>> bowie
>>> > knife and a supply of methamphetamines while I watch the said
>>> deathmatch and
>>> > wager vast sums of money on who will be the winner. If the fight
>>> becomes
>>> > boring or there is a stalemate, I will release rabid dogs and my
>>> two-stone
>>> > cat into the arena to liven things up a bit. If these animals become in
>>> any
>>> > way docile, I will squirt them with water pistols until they become a
>>> bit
>>> > more temperamental.
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~   ~
>>> >
>>> > ---
>>> > To 

Fake order receipts

[John Aldrich]

Just a heads-up... several of my users have received emails over the past
few days allegedly containing a link to an order confirmation page or
receipt for something they never ordered. I tried to go to one of these
sites today on my Linux box using Google Chrome and got a warning that the
page I was trying to view contained links to a known malware site. 

Just thought I'd pass this along... it got through our spam / virus filter
(RedCondor) so I thought maybe y'all might want to know... the subject of
the messages was something along the lines of "(your name) sale bill
#(random number)" or "(your name) purchasing summary #(random number)"






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Determine who has VPN access?

[Mike Wiebke]

You can do this with a saved query in ADUC.  Just create a new query and select 
"Custom Search" for the query type.  Click on the Advanced tab and enter 
msNPAllowDialIn=TRUE for the query.  I think this is case sensitive .

Mike W.




- Original Message 
From: Eric Brouwer 
To: NT System Admin Issues 
Sent: Thu, June 16, 2011 9:29:57 AM
Subject: Determine who has VPN access?

Greetings!

I have a Windows 2003 Server configured for VPN access.  Is there a
way to determine what users/groups have the Dial-In/VPN right outside
of going through each user in Active Directory?

Thank you,

Eric

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Determine who has VPN access?

[Charlie Kaiser]

Try this:
adfind -s subtree -f "msNPAllowDialIn=TRUE" username

note that the "TRUE" is case sensitive...

Don't have ADFind? Get it from joeware.net...

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
***  


> -Original Message-
> From: Eric Brouwer [mailto:ithelp.e...@gmail.com]
> Sent: Thursday, June 16, 2011 7:30 AM
> To: NT System Admin Issues
> Subject: Determine who has VPN access?
> 
> Greetings!
> 
> I have a Windows 2003 Server configured for VPN access.  Is there a
> way to determine what users/groups have the Dial-In/VPN right outside
> of going through each user in Active Directory?
> 
> Thank you,
> 
> Eric


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Determine who has VPN access?

[Mayo, Bill]

You could write a script to go through all the accounts in AD and check
for a "true" value for "msNPAllowDialIn".  If you are not a scripter,
there are a lot of examples out there about making a VBScript that
parses through user accounts; just modify it to look for this value.

-Original Message-
From: Eric Brouwer [mailto:ithelp.e...@gmail.com] 
Sent: Thursday, June 16, 2011 10:30 AM
To: NT System Admin Issues
Subject: Determine who has VPN access?

Greetings!

I have a Windows 2003 Server configured for VPN access.  Is there a
way to determine what users/groups have the Dial-In/VPN right outside
of going through each user in Active Directory?

Thank you,

Eric

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Determine who has VPN access?

[Eric Brouwer]

Greetings!

I have a Windows 2003 Server configured for VPN access.  Is there a
way to determine what users/groups have the Dial-In/VPN right outside
of going through each user in Active Directory?

Thank you,

Eric

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: [OT] Citibank worse at security than Sony

[Ben Scott]

On Wed, Jun 15, 2011 at 10:55 AM, Free, Bob  wrote:
> If recent history is any indicator, they will get a big bailout for their
> malfeasance, any indiscretions will be ignored by regulators, they will pat
> themselves on the back with huge bonuses for weathering the storm, and the
> consumer will be left holding the bag.

  That is a fairly accurate description of the environment.  Unfortunately.

  "There are seldom good technological solutions to behavioral problems."

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: [OT] Citibank worse at security than Sony

[Ben Scott]

On Wed, Jun 15, 2011 at 10:52 AM, Andrew S. Baker  wrote:
> Well, we (collective we) have to stop giving them easy outs.
>
> They find ways to make sure that they can use hot-off-the-presses technology
> to get order entry or other more-direct-to-revenue projects done, and heads
> roll appropriately for not getting it done on time.

  +MAXINT+1   (An overflow.  (Get it?))

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Fake antivirus

[James Rankin]

Application whitelisting saves me from annoyances like this, generally

On 16 June 2011 15:11, Mike Sullivan  wrote:

> I ran into this on Monday, at least I have my users locked down and they
> only saw the message that the hard drive was failing and their shortcuts
> disappeared. I followed Tammy's instructions and had it cleaned up pronto!
>
>
> On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:
>
>> I've run into a nice variant of this just this morningthe window is
>> titled, "Windows Vista Restore" and the caption at the top of the window
>> says, "PC Performance & Stability analysis report". It is telling me hat the
>> hard drive is failing and that private data is at risk.
>>
>> When I went into the root of C:. it only showed one file, named
>> bootsect.bak. After I chose to display all hidden and os files,
>> viola,everything in C: and on the desktop appeared.
>>
>> What a way to start a Thursday - at least it isn't Monday!
>>
>> JR
>>
>> On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
>>
>>> Try setting him up with ClearCloudDNS - might help prevent future
>>> infections.
>>>
>>>
>>> Roger Wright
>>> ___
>>>
>>> "Formula for success: rise early, work hard, strike oil." - J. Paul Getty
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
>>>  wrote:
>>> > Thanks... This particular user is unlucky enough to have teenagers who
>>> use
>>> > his computer. My guess is they are visiting infected/hostile/0wned
>>> sites and
>>> > that's how he's getting infected. Never really had a problem when he
>>> was
>>> > working here, so I'm suspecting it's some of his grandkids that are
>>> causing
>>> > the problem.
>>> >
>>> > As I have not yet seen the problem, I don't know if it's going to be
>>> easy or
>>> > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>>> >
>>> > Thanks again!
>>> >
>>> >
>>> >
>>> > From: James Rankin [mailto:kz2...@googlemail.com]
>>> > Sent: Friday, June 03, 2011 10:31 AM
>>> > To: NT System Admin Issues
>>> > Subject: Re: Fake antivirus
>>> >
>>> > May be time to invest in some UAT (user awareness training). Continual
>>> > re-infestation either means he is unlucky, or gung-ho in his browsing.
>>> >
>>> > I've had some fake AVs recently which were ridiculously easy to get rid
>>> of
>>> > (kill process, delete files, remove autorun entry). Others have been
>>> more
>>> > stealthy - such as killing targeted windows like Task Manager. Booting
>>> into
>>> > safe mode usually prevents these extra "features" from bothering you.
>>> >
>>> > But as with everything - a reimage may be the only way to be sure.
>>> > On 3 June 2011 15:26, John Aldrich 
>>> wrote:
>>> > I'm going to go to a former co-worker's this afternoon to clean his
>>> system
>>> > (again) from another fake antivirus infestation. I've already got Vipre
>>> > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I
>>> haven't
>>> > had to deal with any fake antivirus in a few weeks. Just wondering if
>>> they
>>> > have developed any new tricks recently that I should be aware of?
>>> >
>>> > Oh, this user had Vipre Home on his PC, and got infested anyway. Should
>>> I
>>> > submit samples to Sunbelt (assuming I can find where they're
>>> quarantined)???
>>> >
>>> > Thanks!
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~   ~
>>> >
>>> > ---
>>> > To manage subscriptions click here:
>>> > http://lyris.sunbelt-software.com/read/my_forums/
>>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>>> > with the body: unsubscribe ntsysadmin
>>> >
>>> >
>>> >
>>> > --
>>> > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>>> into
>>> > the machine wrong figures, will the right answers come out?' I am not
>>> able
>>> > rightly to apprehend the kind of confusion of ideas that could provoke
>>> such
>>> > a question."
>>> >
>>> > IMPORTANT: The information in this email is CONFIDENTIAL. If its
>>> contents
>>> > are disclosed in any way my lawyers will swoop down from black
>>> helicopters
>>> > like Seal Team Six and drag you away with a black bag over your head.
>>> They
>>> > will then take you to a secret prison and make you fight to the death
>>> with
>>> > other people who dared to share this email. You will be given a large
>>> bowie
>>> > knife and a supply of methamphetamines while I watch the said
>>> deathmatch and
>>> > wager vast sums of money on who will be the winner. If the fight
>>> becomes
>>> > boring or there is a stalemate, I will release rabid dogs and my
>>> two-stone
>>> > cat into the arena to liven things up a bit. If these animals become in
>>> any
>>> > way docile, I will squirt them with water pistols until they become a
>>> bit
>>> > more temperamental.
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~   ~

Re: [OT] Citibank worse at security than Sony

[Ben Scott]

On Wed, Jun 15, 2011 at 10:46 AM, Ken Schaefer  wrote:
> ... 10 years ago. If that’s when the app was developed, the programmers 
> probably
> didn’t know better ...

  That excuse gets tossed around a lot -- "we weren't being attacked
then", or "this is a new threat".  I consider it bull.

  Computer security is *not* a recent field of study.  The fact that
one's industry/region/company/city block/programming language/whatever
hasn't been hit before does not mean security is unimportant.  Sadly,
most managers don't seem to appreciate that.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Fake antivirus

[Mike Sullivan]

I ran into this on Monday, at least I have my users locked down and they
only saw the message that the hard drive was failing and their shortcuts
disappeared. I followed Tammy's instructions and had it cleaned up pronto!

On Thu, Jun 16, 2011 at 6:53 AM, Jonathan  wrote:

> I've run into a nice variant of this just this morningthe window is
> titled, "Windows Vista Restore" and the caption at the top of the window
> says, "PC Performance & Stability analysis report". It is telling me hat the
> hard drive is failing and that private data is at risk.
>
> When I went into the root of C:. it only showed one file, named
> bootsect.bak. After I chose to display all hidden and os files,
> viola,everything in C: and on the desktop appeared.
>
> What a way to start a Thursday - at least it isn't Monday!
>
> JR
>
> On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:
>
>> Try setting him up with ClearCloudDNS - might help prevent future
>> infections.
>>
>>
>> Roger Wright
>> ___
>>
>> "Formula for success: rise early, work hard, strike oil." - J. Paul Getty
>>
>>
>>
>>
>>
>> On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
>>  wrote:
>> > Thanks... This particular user is unlucky enough to have teenagers who
>> use
>> > his computer. My guess is they are visiting infected/hostile/0wned sites
>> and
>> > that's how he's getting infected. Never really had a problem when he was
>> > working here, so I'm suspecting it's some of his grandkids that are
>> causing
>> > the problem.
>> >
>> > As I have not yet seen the problem, I don't know if it's going to be
>> easy or
>> > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
>> >
>> > Thanks again!
>> >
>> >
>> >
>> > From: James Rankin [mailto:kz2...@googlemail.com]
>> > Sent: Friday, June 03, 2011 10:31 AM
>> > To: NT System Admin Issues
>> > Subject: Re: Fake antivirus
>> >
>> > May be time to invest in some UAT (user awareness training). Continual
>> > re-infestation either means he is unlucky, or gung-ho in his browsing.
>> >
>> > I've had some fake AVs recently which were ridiculously easy to get rid
>> of
>> > (kill process, delete files, remove autorun entry). Others have been
>> more
>> > stealthy - such as killing targeted windows like Task Manager. Booting
>> into
>> > safe mode usually prevents these extra "features" from bothering you.
>> >
>> > But as with everything - a reimage may be the only way to be sure.
>> > On 3 June 2011 15:26, John Aldrich 
>> wrote:
>> > I'm going to go to a former co-worker's this afternoon to clean his
>> system
>> > (again) from another fake antivirus infestation. I've already got Vipre
>> > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I
>> haven't
>> > had to deal with any fake antivirus in a few weeks. Just wondering if
>> they
>> > have developed any new tricks recently that I should be aware of?
>> >
>> > Oh, this user had Vipre Home on his PC, and got infested anyway. Should
>> I
>> > submit samples to Sunbelt (assuming I can find where they're
>> quarantined)???
>> >
>> > Thanks!
>> >
>> >
>> >
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>> >
>> >
>> >
>> > --
>> > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
>> into
>> > the machine wrong figures, will the right answers come out?' I am not
>> able
>> > rightly to apprehend the kind of confusion of ideas that could provoke
>> such
>> > a question."
>> >
>> > IMPORTANT: The information in this email is CONFIDENTIAL. If its
>> contents
>> > are disclosed in any way my lawyers will swoop down from black
>> helicopters
>> > like Seal Team Six and drag you away with a black bag over your head.
>> They
>> > will then take you to a secret prison and make you fight to the death
>> with
>> > other people who dared to share this email. You will be given a large
>> bowie
>> > knife and a supply of methamphetamines while I watch the said deathmatch
>> and
>> > wager vast sums of money on who will be the winner. If the fight becomes
>> > boring or there is a stalemate, I will release rabid dogs and my
>> two-stone
>> > cat into the arena to liven things up a bit. If these animals become in
>> any
>> > way docile, I will squirt them with water pistols until they become a
>> bit
>> > more temperamental.
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~   ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> > http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>> >
>> >
>> > ~ Finally, powerful endpoint securi

Re: Fake antivirus

[Jonathan]

I've run into a nice variant of this just this morningthe window is
titled, "Windows Vista Restore" and the caption at the top of the window
says, "PC Performance & Stability analysis report". It is telling me hat the
hard drive is failing and that private data is at risk.

When I went into the root of C:. it only showed one file, named
bootsect.bak. After I chose to display all hidden and os files,
viola,everything in C: and on the desktop appeared.

What a way to start a Thursday - at least it isn't Monday!

JR

On Mon, Jun 6, 2011 at 11:56 AM, Roger Wright  wrote:

> Try setting him up with ClearCloudDNS - might help prevent future
> infections.
>
>
> Roger Wright
> ___
>
> "Formula for success: rise early, work hard, strike oil." - J. Paul Getty
>
>
>
>
>
> On Fri, Jun 3, 2011 at 10:34 AM, John Aldrich
>  wrote:
> > Thanks... This particular user is unlucky enough to have teenagers who
> use
> > his computer. My guess is they are visiting infected/hostile/0wned sites
> and
> > that's how he's getting infected. Never really had a problem when he was
> > working here, so I'm suspecting it's some of his grandkids that are
> causing
> > the problem.
> >
> > As I have not yet seen the problem, I don't know if it's going to be easy
> or
> > difficult. Hopefully MBAM and Vipre won't have any problem with it. :D
> >
> > Thanks again!
> >
> >
> >
> > From: James Rankin [mailto:kz2...@googlemail.com]
> > Sent: Friday, June 03, 2011 10:31 AM
> > To: NT System Admin Issues
> > Subject: Re: Fake antivirus
> >
> > May be time to invest in some UAT (user awareness training). Continual
> > re-infestation either means he is unlucky, or gung-ho in his browsing.
> >
> > I've had some fake AVs recently which were ridiculously easy to get rid
> of
> > (kill process, delete files, remove autorun entry). Others have been more
> > stealthy - such as killing targeted windows like Task Manager. Booting
> into
> > safe mode usually prevents these extra "features" from bothering you.
> >
> > But as with everything - a reimage may be the only way to be sure.
> > On 3 June 2011 15:26, John Aldrich  wrote:
> > I'm going to go to a former co-worker's this afternoon to clean his
> system
> > (again) from another fake antivirus infestation. I've already got Vipre
> > Rescue and Malware Bytes on a memory stick. I've also got RKILL. I
> haven't
> > had to deal with any fake antivirus in a few weeks. Just wondering if
> they
> > have developed any new tricks recently that I should be aware of?
> >
> > Oh, this user had Vipre Home on his PC, and got infested anyway. Should I
> > submit samples to Sunbelt (assuming I can find where they're
> quarantined)???
> >
> > Thanks!
> >
> >
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> >
> >
> >
> > --
> > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> > the machine wrong figures, will the right answers come out?' I am not
> able
> > rightly to apprehend the kind of confusion of ideas that could provoke
> such
> > a question."
> >
> > IMPORTANT: The information in this email is CONFIDENTIAL. If its contents
> > are disclosed in any way my lawyers will swoop down from black
> helicopters
> > like Seal Team Six and drag you away with a black bag over your head.
> They
> > will then take you to a secret prison and make you fight to the death
> with
> > other people who dared to share this email. You will be given a large
> bowie
> > knife and a supply of methamphetamines while I watch the said deathmatch
> and
> > wager vast sums of money on who will be the winner. If the fight becomes
> > boring or there is a stalemate, I will release rabid dogs and my
> two-stone
> > cat into the arena to liven things up a bit. If these animals become in
> any
> > way docile, I will squirt them with water pistols until they become a bit
> > more temperamental.
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> > ---
> > To manage subscriptions click here:
> > http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> > ---
> > To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ 

Re: [OT] Citibank worse at security than Sony

[Ben Scott]

On Wed, Jun 15, 2011 at 8:17 AM, Ken Schaefer  wrote:
> You can push all you like. But it's not your area of expertise. So you rely
> on other people to tell you that the app works well. Things will always still
> slip through the cracks.

  This isn't something that "slipped through the cracks".  It's a
total lack of understanding of computer security.

  Again, I am not expecting the suits to know how to design a secure
system.  I am expecting them to supervise their subordinates properly.
 That includes making sure your subordinates are competent, and doing
internal audits so you're not trusting the watchmen to watch the
watchmen.  Managing your workforce is what top management is about.
It is their job, and they failed to do it.  I expect them to be help
responsible for that.

  Well, actually, like someone else said, I expect them to dodge
responsibility and collect a bonus for dealing with the horrible
attackers.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: windows 7 forensics

[Ben Scott]

On Wed, Jun 15, 2011 at 5:14 PM, Jonathan  wrote:
> As for creating a forensically sound image, the "best" are supposedly FTK
> Imager, from Access Data Products, and EnCase (mentioned by Art DeKneef
> earlier in this thread) from Guidance Software ...

  The classic *nix tool "dd" will do a perfectly fine job at creating
an image.  (Bytes is bytes.)  It's even been ported to Windows,
although I don't know if it will work on a hard drive.  (Windows tends
to automatically mount (and thus lock) anything it recognizes.)

  The real trouble is Windows doesn't have a loopback block device.
This is the facility in Linux that lets you take a file and treat it
as a block device, which can in turn be mounted as a filesystem.
(Also useful with floppies and CDs.)  Hence the need for third-party
tools for that on Windows.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin