Tuesday 2 December 2008
Antivirus XP 2008 and tdssserv.sys trojan / rootkit
There's some good info over here and I was interested to see that the old Microsoft/Sysinternals Rootkit Revealer showed up the hidden components (the F-Secure Backlight rootkit eliminator showed up nothing). I booted off CD and manually removed them - the TDSSserv components were key. Was then able to start Windows and install Malwarebytes to clear up any loose ends.
It's getting rough out there.
Wednesday 26 November 2008
Microsoft Update error 0x80244022
Those pesky Update errors just keep coming.
Friday 21 November 2008
Symantec EndPoint Protection 11 MR3 client fails to install on SBS2003
Sounded just like some problems discussed on Experts Exchange and the Symantec forums. There was a whole thread dedicated to people opening support cases and requesting EndPoint Cleanwipe. So I did the same and within 20 minutes had a copy off Symantec ftp. It didn't fix the problem but wasted a couple of hours trashing the SEPM install as well as the previous Mail Security for Exchange. So after reinstalling both I was back to square one. Twelve hours later, Symantec tech support popped up having gotten around to reading the install log. Turns out there was an old Alert Management Server installed. It wouldn't remove from Add/Remote Programs or via CleanWipe.
The Microsoft Windows Installer Cleanup tool went all Chuck Norris on it and saved the day. One reboot later and a successful client install :-)
Saturday 6 September 2008
Antivirus XP 2008 or 2009 virus/spyware removal
Two of the infections I saw had got in past AVG. One had 7.5 Free and the other had v8 but slightly dated definitions - unlucky timing, I wouldn't hold it against the folks at AVG. My AVG 8 Pro spotted the .exe as soon as I copied it over to the PC.
I've heard of a couple of cases where people have had to put hours into extracting the bad and getting their PC back up and running - should have called Redleg tech support first ;-) Best fix I've come across has been the AntiMalware product from Malwarebytes. You can find it over here.
Wednesday 27 August 2008
SEP, SBS and SIFMSMSE - they're tech not medical in case you were struggling
Anyway to the point. I've had an SBS2003R2 server running SEP 11.0 MR2 (I'm not even going to go there with the rest of the acronyms, but it was pre MP too) and SIFMSMSE 6.0.6 generating daily warnings in the Event Viewer which were making it into the SBS 6am daily monitoring report. The daily report didn't actually show much other than the source was Symantec AntiVirus. Taking a look in the Event Viewer shows Event ID 45 and screams SYMANTEC TAMPER PROTECTION ALERT. Turns out its Symantec's own product, the SIFMSMSE server which happily lives in the old SMSMSE directory.
Long story short, you can tell the antivirus to stop worrying about Symantec playing with itself (yes there was probably a more popular blog title in that) by going into SEP Console > Policies > Centralized Exceptions > right-click on the policy and choose Edit. Click Centralized Exceptions and add a Tamper Protection Exception for
[PROPGRAM FILES]
\Symantec\SMSMSE\6.0\Server\SAVFMSETask.exe
with an action of ignore.
All quiet on the front now.
PS I do like Symantec products - one of the few - always worked well for me, although the complexity and management from an SBS point of view seems to be increasing significantly. Reminds me of the old MacAfee which just got too complex to manage quickly and easily for a small business - haven't touched that since.
Monday 25 August 2008
Allocated Memory - please sir, can I have some more
But if you look closely in the Task Manager and find that there are large memory allocations (170MB+) for sqlserver instances, you can adjust their figures.
Details on changing the maximum memory for a SQL instance, e.g. for the SBS Monitoring or the ISA Firewall or the Update Services can be found in the SBS team blog on troubleshooting high memory use.
There are some suggested figures to use from Susan's blog on throttling. They worked fine for me - one server regained 550MB and another around 200MB, with no apparent performance hits. Looked to me like it might be more relevant to pre-R2 servers, but that may have been coincidence.
Friday 22 August 2008
SBS Manchester meet 2008
Also pleased to meet Vijay who is the partner area lead for SBSC - think we'll just refer to him as the SBSC API ;-) Been keeping an eye on his iQubed blog for useful posts this year. Be good to see you up here again Vijay. BTW he seems to have more acronyms than Symantec.
(Hey Manchester got a mention :-)
The meeting isn't just about Microsoft either, we've got a range of partners from one-man to 20 staff so the peer support and discussion is varied and helpful. Next meeting is 18 September with some interesting third-party visitors from what I've heard. See you there.
Saturday 9 August 2008
SBS 2003 Monitoring Report cannot be displayed
I wasn't able to get a fix despite trying reboots, updates, disk checks, reconfiguring monitoring, SQL database checks, etc. Got a fix now thanks to advice from Les Connor a Canadian SBS MVP, see the link here.
Basically you need to go into the main WSUS console (from Admin Tools) then Options and Server Cleanup Wizard. Running this with just the first option for Unused Updates fixed both servers. The PowerEdge took 18 hours to complete - reporting unused updates 11,092 and revisions 3,830. Sounds like this WSUS maintenance needs to happen on a monthly/quarterly schedule to keep the server optimised.
The basic server crashed out at 19 hours with SQL timeout errors. The monitoring report didn't come back immediately, until after a reboot.
Both are happy again ... me included :-)
Saturday 19 July 2008
The Hotel Vista
I managed to track down a couple of registry keys that helped. Thought I'd better post them now just for the record following a discussion recently about dodgy wireless connections.
First one is from Microsoft KB933340
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\DhcpGlobalForceBroadcastFlag \1
"0"= dword:00000000
I was reminded of the second one by Susan Bradley who pointed out Steve Riley's post.
Start a Command Prompt
(there's a cool short cut to this by shift-right-clicking a folder such as Documents)
(or use Windows-R key combo and type CMD)
then run the command
netsh int tcp set glo aut=dis
Thursday 3 July 2008
Which came first - the memory dump or the rainy day?
Anyway thought I'd best save the link somewhere prominent for a rainy day.
http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx
Whilst I'm on the theme of useful SBS Yahoo groups, also worth a look at ...
http://tech.groups.yahoo.com/group/UKSBSG/
Monday 16 June 2008
Symantec AntiVirus 10.x license expired at client
Turned out the Windows Firewall was getting in the way. Disabling it fixed the problem temporarily so the licence would install but there was no client management available. All the tools like view event log failed. I found Symantec doc 2004070817071248 which talked about using port 2967 for client communications. Using the Group Policy Management in the server management console let me add a firewall port exception to enable this for all PCs on the network.
I updated the Windows Firewall policy under Computer Configuration > Administrative templates > Network > Network Connections > Windows Firewall > Domain profile
and edited the Define Port Exceptions to include this line:
2967:TCP:*:Enabled:Symantec AntiVirus Management - Port
Friday 13 June 2008
Media Player authorisation
The ISA logging at the server showed this error:
Denied Connection
SERVER 13/06/2008 09:31:10
Log type: Web Proxy (Forward)
Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied.
Tracked the fix down to this article http://www.freelists.org/archives/isalist/11-2007/msg00016.html which talked about an error when Media Player tries to resolve the proxy name. With Microsoft ISA Firewall Client installed you can disable the Media Player proxy setting for HTTP (Tools>Options>Network>HTTP>Configure and change from browser to do not use). The Firewall Client will then handle ISA authorisation correctly.
Using the GPO method to apply the change across all PCs made life easy:
"User Configuration\Administrative Templates\Windows Components\Windows Media Player\Networking"
set the "Configure HTTP Proxy" option to "Disabled"
Saturday 7 June 2008
Who to blame - Microsoft or cheap kit?
So next time you have to make a choice on cheap kit or recommended kit that costs a bit more but is likely to have had better design and testing, you might want to think twice.
Wonder if there are any other dodgy routers to come out of the closet yet? Just waiting those phone calls once SP3 gets the green light through Microsoft Update ...
Thursday 8 May 2008
Best data recovery ever?
Wonder what the recovery bill was for getting 90% of the data back from this drive that survived the Columbia Shuttle explosion? Or do you think Ontrack just went with the publicity generated?
Did your backup work last night?
Wednesday 7 May 2008
XP SP3 finally puts in an appearance
I dived over to the Microsoft Downloads page to get a copy for my test machine, no luck can't see it. Surely they haven't pushed it out to Update Services .... and yes I can see it on WindowsUpdate too ... without making a download available for techies.
Anyway tracked it down from the notes on the Microsoft Update site in the end. If you're looking for it you'll need to go here for the Network Install Package.
http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4
Install went smoothly, rebooted and no errors in Event Viewer. Everything looks ok.
Be interesting to see whether that rumoured 10% performance boost comes off, would certainly help this 3yr old PC :-)
Thursday 24 April 2008
Offline Files warning won't suppress
There's an MS document, KB811660 that talks about suppressing the warning for particular file types and locations. Its a bit obscure but the key point is to add this to the registry to skip warnings for Outlook PST files.
HKLM\Software\Policies\Microsoft\Windows\NetCache\ExclusionErrorSuppressionList \\\\*\\*\\*\\*.PST = 0x0000000 (REG_DWORD)
Unfortunately that didn't clear the error, even after the obligatory reboot. The trick to get it to take effect was to reset the Offline Files cache too. Go into My Documents > Tools > Folder Options > Offline Files and use Ctrl-Shift with Delete All Files. For more info take a look at KB230738.
Saturday 19 April 2008
New software from Apple, OS X for your PC
Tell you what, I'd be front of the queue. Its turning into quite a talking point with clients. I'm regularly getting asked about iMacs and MacBooks whenever anyone needs a new machine. Even last year the answer was don't go there, the transition for your business isn't worth it. However now, I explain Parallels or dual booting and that you can choose Mac or Windows at startup, its a different proposition.
Take into account the compatibility and stability, the security benefits, the fact your staff can't download as much crapware onto the machines and the big impression Apple design gives to everyone, be it clients or staff, sounds like there could be a business case for switching there.
Thursday 17 April 2008
Vista, Suse 10.3 and multiple drives
title Windows
rootnoverify (0,0)
chainloader (0,0)+1
Even going into YaST Administrator Settings > System > Boot Loader and choosing Other > Edit Configuration Files > /boot/grub/menu.lst and over-writing the Windows entry didn't help. YaST must have known better, not.
As I couldn't boot Vista at this point I tried booting off the Vista DVD to repair startup with bootrec. Using the /fixboot option failed with an error that the volume wasn't compatible
The solution I sussed in the end was manually editing /boot/grub/menu.lst using Kate started via su in terminal and amending to these settings
title Windows
rootnoverify (1,0)
chainloader (1,0)+1
Novell's document on dual booting Vista and Linux has a similar solution.
Sunday 6 April 2008
SBS 2003 server SP2 setup error, failed to install catalog files
Service Pack 2 setup error "failed to install catalog files"
Retrying the setup (again), clearing temp files, checking Event Viewer didn't help at all. Finally found this useful article at Microsoft, KB822798. Ignore the majority and jump straight to Method 9, that did the trick and the install completed ok.
Interestingly the original error came about from a file read error which must have appeared whilst SP2 was unpacking. I was able to get over the read error by unpacking to another temp directory, finding the file and overwriting the faulty one. You can unpack to a temporary directory by doing a Start > Run (delete any entry already there) then drag the SP2 file to the Run box and add -X (you may also need quotes if there are any spaces in the directory names)
e.g. Start > Run >
"c:\downloaded files\microsoft\WindowsServer2003-KB914961-SP2-x86-ENU.exe" -x
Thursday 3 April 2008
File Conversion - online, of course
I get these calls occasionally where a client has been emailed a file and is wondering what to do with it. Usually end up using FILExt to identify the source and then try and track down a program that can handle it. Half the time this happens out at a client site, Zamzar could be the easy answer. Be intersting to see how comprehensive their conversion filters become. Pleased to see their privacy policy is making all the right noises about protecting emails and files.
Monday 31 March 2008
Lenovo tracking US Government laptops
Just coming to end of life with a T42, had a T23 previously and one prior to that too. Got several clients with T20's, T30, T42, T43, T60. One of those ThinkPad T43 laptops recently started failing to boot at the start logo. After a session swapping memory, drives, power, batteries and trying to fix MBR I concluded there was a system board issue ... two weeks before end of warranty, good timing. No problem getting it fixed, probably took around a week and they didn't do a hard disk recovery which kept my life simple - yeah of course we had a backup.
To the point, I've just had a Lenovo Customer Support Satisfaction survey email which I duly completed right up to the last screen ...
Yes just discreetly dropped in at the end there is the question 'Is this computer assigned to you personally for the purpose of performing US government work?' ... oh and its mandatory. So are they just looking after probably one of their biggest customers ... or is it entirely coincidental that they want to identify US government work immediately after having a copy of the hard disk at their disposal. This being Blogger I'd have to go with the conspiracy every time :-)
Friday 14 March 2008
Shuttle SN41G2 (FN41 motherboard) BIOS
The replacement mobo had BIOS v18 (fn41s018.bin) and I was having a bit of trouble getting the memory speeds to stick properly. Went to Shuttle to get the v32 (fn41s032.bin) BIOS and found it wouldn't flash with the Award flash utility listed - kept getting an error about an invalid product. Available version was AWDFLASH v8.89. Fortunately I had a previous download of AWDFLASH V8.23 and that worked fine.
On the subject of noise Alfredo's Speedfan works well with this system and can keep the fan noise to a steadier level on a warm day - ideal if you've got the unit sat on the desk just by you.
Monday 3 March 2008
Samsung in need of therapy
Just occasionally the reports throw up a real LOL entry. One of my old test servers just reported this
|
It's an internal drive! Where did it disappear to and what sort of preparation did it think it needed!? I guess it didn't take well to the request to copy a 4GB file. I've got an image of it slinking out from the back of the PC, to hide behind the filing cabinet, rocking backwards and forwards, whimpering.
We need more error messages like this first thing :-)
Friday 29 February 2008
Exchange 2003 IMF updates (well, mostly)
The update installed successfully on the next attempt, but I found a few interesting pointers whilst checking out manual installs/uninstalls of IMF Updates.
There's a useful document from MS called the IMF v2 Operations Guide, linked from 907747.
You can manually install an update or go back to a recent version simply by registering the appropriate DLL and restarting IIS (run iisreset). Fire up a command prompt (Start > Run > CMD) and take a look at the pic below. The commands are:
cd exchsrvr\bin\MSCFV2\6.5.7993.0
regsvr32 MSExchange.UceContentFilter.dll
Note that if you try and register the MSExchange.UceContentFilter.dll from a different directory you'll get a 'module not found' error, so make sure you change to the correct directory first.
You can back out the current filter by simply registering the previous version. Alternatively head into Add/Remove Programs and remove the Update for IMF under Microsoft Exchange (you may need to tick the Show Updates box) which goes all the way back to the original Exchange 2003 SP2 filter when IMFv2 was originally installed.
The original error listed in Update Services, top picture, should automatically clear after 24 hours - but it didn't, nor after a reboot. Giving it another 24h post reboot ...
Sunday 17 February 2008
WindowsUpdate 0x8000FFFF fix
Fortunately at Ask Leo there's a comment from Mark Lewis / Eric M referring to some keys to delete in the registry (take a backup first!). Start regedit and head into HKLM\Components and remove the keys for PendingXmlIdentifier and AdvanceInstallerNeedResolving. Then restart and try WindowsUpdate again. Gotta be on the right track when the messages change from red to yellow :-)The update loaded in a blink with no prompts and and I had to manually run an update check again - now we were in business ...
Friday 8 February 2008
ASP.NET Event ID: 1062 - confused SBS2003 server
Event ID: 1062
It is not possible to run two different versions of ASP.NET in the same IIS process. Please use the IIS Administration Tool to reconfigure your server to run the application in a separate process.
The solution is to create a new application pool (called KxEntiretyPool in this case) - see the screen shot - using the DefaultAppPool as the template. You can then go down into the Web Sites section, into Default Web Site and open the Properties for your new application. Simply change it over from DefaultAppPool to the new application pool and restart the Web Publishing service.
Tuesday 29 January 2008
Vista Boot Manager missing, along with rest of drive
Probably should have taken the hint at that point. When I finally took a look in the BIOS I spotted a missing master drive. The slave was present and looked like a former Windows drive and I think it may also have been a dual boot with PC Linux and GRUB at one point. Bottom line was I was trying repair an old Windows with Vista recovery tools and it was proving to be a little resistant to the idea.
Mounting in another PC and running chkdsk sorted everything out and it reappeared back in its own PC and booted happily. I suspect it may not have required the other PC at all and I could have got away with disconnecting and reseating all the connectors. Wish I'd thought of the easier option first ... and thats why I'm posting at 00:13 in the wee hours of Monday night.
Sunday 20 January 2008
0x800700C1 fix
In short
As you tried to login to Windows XP Home (SP2) it showed a message and logged out again.
A problem is preventing Windows from accurately checking the license for this computer. Error code: 0x800700C1The suggested fix for error 0x800700C1 had been try re-registering regwizc/licdll or see 310794 from MS and if they don't work reinstall/recover XP - and more than likely lose your applications and settings.
In short, the answer I found was to uninstall Windows XP Service Pack 2 (SP2) using Safe Mode, which gets rid of the Windows Genuine Advantage that's causing the error. Then reboot and reinstall SP2 which resets WGA. I had to activate again (prob from resetting wpa.dbl earlier) and then install IE7 from MS Downloads before I could run WindowsUpdate.
[After reinstalling IE7 I got error 0x800703EE from WindowsUpdate which I traced to c:\windows\system32\wups2.dll - file length was 0 bytes. Deleting the file and reloading WindowsUpdate fixed that.]
Thursday 17 January 2008
HP source fixes printer
Second problem HP printer of the day was a Color (Colour!) LaserJet 2500 (tn model). When printing multiple copies of a document from Word, Acrobat, IE, Firefox, etc with a collate option you'd get both prints out ok followed by an error:
job storage status page
Error: Unable to store job at printer
Reason: Printer not configured to collate
Solution: Install an EIO hard disk
... yeah thanks for that HP, identify an error and immediately try and sell the customer an upgrade (is this printer spam!?)Also noticed that clicking the update button in the device settings (to auto load tray and memory configuration) reported a communications error.
A few months back we were having regular printer errors with this CLJ2500 covering a range of memory overflows and communication faults. I upgraded to the new HP Universal Print driver - bad move. Talk about slow, particularly when loading properties. So I went back to the PCL6 driver and performance was better and curiously much less error-prone. Finally tracked down the collate error in an HP forum and an HP engineer recommending to go back to the PCL5 driver! With that loaded performance is quick, there are no communication errors, the update button works, multiple copies print without a 'buy an EIO hard disk' error and so far (fingers crossed) there have been no job failures or memory overflows.
Problems aside I'm still a huge fan of HP printers - build and design is excellent, support is good and widespread, compatibility is still important with some niche applications and there's never any problem getting hold of consumables or spares.
Friday 11 January 2008
AutoCorrect UK, Missing In Acton
The new Vista PC is running Office 2007. Once you're over the first month of 'where did that go' its pretty straightforward. Not seen any of the Outlook problems that are described elsewhere. In fact I can't wait to get it all hooked into the new Office Accounting 2008 and see how all that hangs together too.
I did have one issue with Word/Outlook - no UK AutoCorrect. I noticed from the start that common misspellings weren't being corrected (e.g. teh) but never bothered to look why just did a right-click and corrected the spelling. The AutoCorrect was on and the default language set to UK.
Today I finally got around to poking about and discovered the English UK AutoCorrect list was empty apart from a few common symbols, certainly no words. Changed to English US and there are a load of entries and AutoCorrect works fine - well, for most words anyway ;-)
When I tracked down the relevant file which is mso2057.acl in the username\appdata\roaming\microsoft\office directory, I found it was only 1KB. The US version mso1033.acl is 37KB. Checked the original CD and I could find the US one but not the UK.
So a fix, well more of a workaround, was to copy the mso2057.acl from the previous PC's Office 2003 - look in \documents and settings\username\application data\microsoft\office. AutoCorrect burst back in to life and I'm no longer reminded just how terrible my typing has become - except when I'm blogging :-(
Sunday 6 January 2008
Vista gets the snip
I'd always used Alt-PrtScr to get a snapshot of a screen in XP and earlier. Doing IT support I use that quite frequently for sending out instructions and identifying problems. So I've been a bit frustrated that I could only use PrtScr for a full dual-screen grab rather than Alt-PrtScr for just the active window - haven't decided what combination of Vista / Vostro / Dynamode KVM / old IBM keyboard that's giving me a problem.
Then I found Snipping Tool. Just look under Programs > Accessories or type 'snippingtool' into the Run box (Win-R). Woo-hoo, quick ready cropped screen grabs ready to paste and save. I like that add url option too. My life is complete, well for another 5 minutes anyhow.
Thursday 3 January 2008
Would you like Mac with your Windows?
Considering what the program achieves in terms of emulating Windows XP within OS X and the complexities that must involve, the install pretty much sailed through (a bit surprising considering the horror stories in places like MacNN Forums). I chose to use the existing Boot Camp version of XP which it spotted and updated with its own drivers. XP needed activation again after installing, and then again after I'd rerun the Boot Camp version and gone back to Parallels. The last one was via the Microsoft automated telephone activation. Fortunately that did the trick - breathed sigh of relief.
The verdict - so its a bit slower in OS X but entirely usable, very well thought out and very convenient for quickly checking something under XP or running an XP only program. I discovered the drag and drop by accident, moving a file to the XP desktop rather than Mac wastebasket - fortunately it wasn't anything large like a DVD ;-)