Tripredacus

I've seen CHKDSK actually destroy hard drives.

I don't think that the serial number is programmed into the firmware. I used to work for Iomega and know that it definately wouldn't be for remanufactured drives. In some cases, if all internal components were busted and they would be replaced but if the casing was still ok, they would just relabel (or sometimes they wouldn't) the serial number. There may be newer software able to read more info off the drives, but when I was there (2000-2001) there was nothing to get that type of info out of it.

Erm do you mean Vista Business? You may be able to use the User State Migration Tool. It is designed for mass migrations but I am sure you can do it for just one account. http://technet.microsoft.com/en-us/library/cc722032.aspx I haven't used it before, just read about it in the Resource Kit, and I remember it being on an MCP test.

I have a standard Samsung T-Mobile cell phone and it has a camera. I think you can play music on it and use a memory card but I don't know. I'm actually an AT&T customer so the phone is pretty limited as well.

Cool. I'll keep that in mind for the future. I've also found a way to search the Indexing Service. Its in Computer Management. I tried it on a machine Audit mode so it didn't work. I'll have to remember to check on a sysprepped XP also.

There was a recently reported issue of Spybot doing this to systems. Did you happen to have installed that at all?

You can also use a WinPE or NTFSDOS to view NTFS volumes. WinPE follows NTFS permissions while NTFSDOS doesn't. So I use NTFSDOS to reattribute, move or delete files otherwise inaccessible.

Both of these DLLs are noted on Prevx site as possibly being associated with malware.

I'm never ashamed to have owned anything really.

This McAfee install, for now I just have it scripted to be pushed and then executed on a reboot for now. Its causing me issues because once it gets installed, it stops the script from working.... so it ends up in a constant reboot loop...

We have the latest drivers. So far we've done NetMon traces on working and non-working boards but have yet to find the issue. However, the issue of losing access to network drives after the image was deployed was fixed. It was a coding issue I had not noticed. Now the issue is only that there are errors initially upon trying to map the drives via startnet.cmd.

I asked to my rep but he hasn't gotten back to me. He asked for my PE version (I have an open SR currently) and didn't say anything about needing something newer. There are a bazillion single updates to the OPK itself. Last week's OCE Weekly summary said there was an update to the December 2008 OPK and Supplements. As far as my job scope, I am only concerned with OPK updates that affect the WinPE, not so much unattended deployments or WSIM, etc, that's someone else's job here. I'm current as far as I know, with WinPE v6.0.6000 with the Vista SP1 Servicing package installed.

This seems like too much work to do for one system. Unfortunately, we do not have a snapshot of this machine prior to delivery to the field. This one didn't use an image like we normally do, it was done with a DSP copy (think Windows OEM copy with CD key) instead of our normal OA copies. A checkdisk and defrag were run on the machine, as well as creating new user accounts, adding to a domain and also it had been sysprepped so the Event Viewer has had some entries removed (among other things). I agree about the Event Viewer. I am quite happy with how it is in Vista and 2008, being a bit on the heavy side but I never think you can have too much information. At this point, I am fine with just formatting it and starting over. We already ran full scans on all of our production systems and servers and found no trace of the virus so we can safely presume it didn't come from us. I had once read about this type of thing in the past, with Windows NT. There was a feature, similar to indexing, that would log file changes so that you could roll-back to older files if necessary. The only problem with that was you had to turn it on!

FYI: This may be a fix if using nLite (on EEEs), but I don't use nLite and didn't get this error on an EEE PC.

Its good to know this was the reason. Hope all turns out well.

I've been researching an XP Pro machine that is infected with Conflicker, and the task is to determine how or when it got infected. I have access to the suspect DLL, which was tough. Conflicker not only makes itself a hidden system file, but it also changes the permissions on itself so you can't unhide it. Fortunately, it doesn't actively check to make sure its permissions are still the same, so once you change them you have full access forever. What I had done was use CACLS to give the Administrator account Full Control permissions on the file. This then let me change its attributes so it wouldn't be hidden and possible to copy, open, etc. This file is devious in the fact that it changes its original file attributes (the date/times) to reflect those values in kernel32.dll, which makes it impossible to determine the original date it appeared on the system. I did some other checks, such as looking in the registry, but was unable to find anything in particular there. I examined the PE headers and related information and was not able to find anything important. Also, because the PE headers are modified, you do not have the ability to open the DLL in ResHack, and it has no resource file entries. At this point I cannot determine much about the system. I was thinking about looking up other information, but not sure how to go about doing it. Here are some random thoughts, tell me what your ideas might be: 1. Indexing was turned on, and the DLL is also indexed. Is there a way to look at the file index to get the date/time it was first indexed? 2. If this virus was spread via a USB drive, it should have a record of which drives were connected to the machine in the registry. Where does it registered installed USB devices there? Any other ideas you might have may be good also.

I am wondering about this again. We have a customer that got it also. I checked my logs and we got it on the 14th, but it was only on my USB key. Trend cleaned out the rootkit and the autorun.inf but that isn't the virus itself. Those are just files it creates. This makes me thing that the virus does not propogate via other drives, in other words, it is not possible to spread it via UFDs. Does this sound right? Our virus scan results are only finding the files it had created, not the virus itself. This leaves me in doubt that perhaps some of our servers are still infected with the virus but isn't being detected?

Ok the file you want is P17.inf. Make sure your sound card has a HWID of VEN_1102&DEV_0007. You can see this in Device Manager under the Details tab, and select Hardware ID. Fortunately, I already had this downloaded and extracted.

I've had problems getting multiple Sound Blasters to work in Vista 32bit. Never tried 64. I had to contact Creative Support but I was doing something that wasn't supported. Make sure you do not have any other Creative Software installed, and also say your motherboard doesn't have a Creative audio chip on it. I'll take a look at the drivers to see if I can see anything. I don't have a system to test this out in so that'll have to do.

That was regular Audigy SE search on that site but There were like 3 other Audigy SE options in the list to pick from. Make sure they don't have anything different. Also you could try to install it manually and point to the INF from the installer. You may have to extract the installer with Winrar or so. I've done this once in Vista 32, but my situation was different because I imagine your PC isn't in the Audit pass anymore.

I've not found Conflicker doing anything to winlogon.exe. Also unless something has changed in the past week, Conflicker hasn't been activated last I knew. If you have Conflicker, unhide your protected system files, go into Recycler and see if you can find a folder with SID in it... I forget which one, also your root volumes of all drives will have this in it, and an autorun.inf that points to that SID.

Is this the one you got? http://support.creative.com/Products/Produ...e=Sound+Blaster The first one in the list.

This thread doesn't seem like it should be here.

I remember also having problems getting VM Additions to install. I think that you just autorun the CD (or ISO) after you've installed Windows. It should work like that.

There is an HTA example in my sig. As far as the Flash one, I can't provide you with that. I made a demo Projector and loaded it into my winpe.wim. It works fine, being totally capable of managing files and writing to local drives. Projector isn't very easy to use nowadays because Macromedia(Adobe) has removed many functions from Flash to allow direct system integration, so you'll need to use an old version of Flash. For example, newer Projector apps won't let you delete files from the hard drive. This is because Flash is typically used as a web application, not as a standalone one. Aside from the one in WinPE, I had also made a DemoShield replacement in the past that launched off an install CD. Basically, you build your app in Flash, then instead of making an SWF, you publish to a Projector EXE instead. They work perfectly fine in WinPE all by itself, without having to hack it at all. Alternatively, you could also build a shell using AutoIT I suppose.