Tripredacus

We got our first copy of Symantec Norton Antivirus 2009 1-Year OEM CTO SYSTEM BUILDER EDITION in and there are some issues I have with it. Unlike previous versions it requires a CD Key on install. It still has its 15 day warning on the package, but I can't figure out how to install it. The older (2008 and so) did not ask for a key and would install and (I guess) just work for 15 days. Anyone try this one yet? I figure I'd ask here while I am waiting to get our support contact's info.

Are you not using WSIM to make your XP install? I'm guessing that you are doing a network boot to the bootmgr off the server and want the XP image to appear there is that correct? Or does it and it is not installing? There is a thread about using WinPE to install XP unattended, so you may be able to boot into that first. http://www.msfn.org/board/index.php?showtopic=88270

If you hard code this option for 2 CD Drives having the same volume ID, you am going on the presumtion that this will work on every system. There may be times when the Hard Drive is not formatted yet and that is going to throw off your numbering. Also some machines see Memory Slots or Card Readers as being volumes even if there is nothing inserted. The MSI MS-163K does this and it screwed up my scripts as well. You may be able to have a script that detects the number of CD Drives, and runs diskpart_script1 if one drive and diskpart_script2 if two drives. AutoIT has a function called DriveGetDrive. Here is an example: $var = DriveGetDrive( "cdrom" ) If $var[0] = 2 Then Run( @ComSpec & " /c x:\windows\system32\diskpart.exe diskpart_script2.txt" ) ElseIf $var[0] = 1 Then Run( @ComSpec & " /c x:\windows\system32\diskpart.exe diskpart_script1.txt" ) EndIf This is an example, and i wrote this up real quick so I didn't test it. As the help file says, "The zeroth array element contains the number of drives".

I have used HFSLIP before. Maybe it will help you too. http://hfslip.org/ I also was able to put SP3 into a recovery CD with this!

They may require that Windows be activated first. We have some like that, like IE updates will refuse to install if the computer isn't activated.

The speed issue on the 2003 was fixed by manually setting the NIC speed in Device Manager. Even at this point, the 2003 WDS runs slightly faster than the 2008 WDS, but it isn't used enough to bother with it much anymore. Its more of a test bed for me now.

Now that you mention it... IIRC, the serial number was relevant to the date of manufacture, if that helps at all. You could read that date, and the other numbers or letters could be decoded to determine if it was a retail, oem or refurb unit, also which plant it was made in and what country, or what country it was made to be sold in. This knowledge is only of the printed serial number, however. But like I said, repairs/reman/refurb units could have different hardware inside that wouldn't always match the serial number on the casing. Like if it was a bad casing and didn't replace the internals.

Well today I was informed that I will be one of two auditees for my company when ISO recertification comes around again. Has anyone been in this position? Should I be worried about it?

I hate that you can do this. I found out about this ability when researching Conflicker.

I've seen CHKDSK actually destroy hard drives.

I don't think that the serial number is programmed into the firmware. I used to work for Iomega and know that it definately wouldn't be for remanufactured drives. In some cases, if all internal components were busted and they would be replaced but if the casing was still ok, they would just relabel (or sometimes they wouldn't) the serial number. There may be newer software able to read more info off the drives, but when I was there (2000-2001) there was nothing to get that type of info out of it.

Erm do you mean Vista Business? You may be able to use the User State Migration Tool. It is designed for mass migrations but I am sure you can do it for just one account. http://technet.microsoft.com/en-us/library/cc722032.aspx I haven't used it before, just read about it in the Resource Kit, and I remember it being on an MCP test.

I have a standard Samsung T-Mobile cell phone and it has a camera. I think you can play music on it and use a memory card but I don't know. I'm actually an AT&T customer so the phone is pretty limited as well.

Cool. I'll keep that in mind for the future. I've also found a way to search the Indexing Service. Its in Computer Management. I tried it on a machine Audit mode so it didn't work. I'll have to remember to check on a sysprepped XP also.

There was a recently reported issue of Spybot doing this to systems. Did you happen to have installed that at all?

You can also use a WinPE or NTFSDOS to view NTFS volumes. WinPE follows NTFS permissions while NTFSDOS doesn't. So I use NTFSDOS to reattribute, move or delete files otherwise inaccessible.

Both of these DLLs are noted on Prevx site as possibly being associated with malware.

I'm never ashamed to have owned anything really.

This McAfee install, for now I just have it scripted to be pushed and then executed on a reboot for now. Its causing me issues because once it gets installed, it stops the script from working.... so it ends up in a constant reboot loop...

We have the latest drivers. So far we've done NetMon traces on working and non-working boards but have yet to find the issue. However, the issue of losing access to network drives after the image was deployed was fixed. It was a coding issue I had not noticed. Now the issue is only that there are errors initially upon trying to map the drives via startnet.cmd.

I asked to my rep but he hasn't gotten back to me. He asked for my PE version (I have an open SR currently) and didn't say anything about needing something newer. There are a bazillion single updates to the OPK itself. Last week's OCE Weekly summary said there was an update to the December 2008 OPK and Supplements. As far as my job scope, I am only concerned with OPK updates that affect the WinPE, not so much unattended deployments or WSIM, etc, that's someone else's job here. I'm current as far as I know, with WinPE v6.0.6000 with the Vista SP1 Servicing package installed.

This seems like too much work to do for one system. Unfortunately, we do not have a snapshot of this machine prior to delivery to the field. This one didn't use an image like we normally do, it was done with a DSP copy (think Windows OEM copy with CD key) instead of our normal OA copies. A checkdisk and defrag were run on the machine, as well as creating new user accounts, adding to a domain and also it had been sysprepped so the Event Viewer has had some entries removed (among other things). I agree about the Event Viewer. I am quite happy with how it is in Vista and 2008, being a bit on the heavy side but I never think you can have too much information. At this point, I am fine with just formatting it and starting over. We already ran full scans on all of our production systems and servers and found no trace of the virus so we can safely presume it didn't come from us. I had once read about this type of thing in the past, with Windows NT. There was a feature, similar to indexing, that would log file changes so that you could roll-back to older files if necessary. The only problem with that was you had to turn it on!

FYI: This may be a fix if using nLite (on EEEs), but I don't use nLite and didn't get this error on an EEE PC.

Its good to know this was the reason. Hope all turns out well.

I've been researching an XP Pro machine that is infected with Conflicker, and the task is to determine how or when it got infected. I have access to the suspect DLL, which was tough. Conflicker not only makes itself a hidden system file, but it also changes the permissions on itself so you can't unhide it. Fortunately, it doesn't actively check to make sure its permissions are still the same, so once you change them you have full access forever. What I had done was use CACLS to give the Administrator account Full Control permissions on the file. This then let me change its attributes so it wouldn't be hidden and possible to copy, open, etc. This file is devious in the fact that it changes its original file attributes (the date/times) to reflect those values in kernel32.dll, which makes it impossible to determine the original date it appeared on the system. I did some other checks, such as looking in the registry, but was unable to find anything in particular there. I examined the PE headers and related information and was not able to find anything important. Also, because the PE headers are modified, you do not have the ability to open the DLL in ResHack, and it has no resource file entries. At this point I cannot determine much about the system. I was thinking about looking up other information, but not sure how to go about doing it. Here are some random thoughts, tell me what your ideas might be: 1. Indexing was turned on, and the DLL is also indexed. Is there a way to look at the file index to get the date/time it was first indexed? 2. If this virus was spread via a USB drive, it should have a record of which drives were connected to the machine in the registry. Where does it registered installed USB devices there? Any other ideas you might have may be good also.