Archive for category BTP

HP laptop with Random beeps

We have a laptop which randomly beeps. Three beeps. We have solved the problem but in case others have it, here is the description.

It is a HP EliteBook 9480m running Windows 7 (but that is not relevant).

We had HP change the Battery, Keyboard, mainboard and more. Still beeps. Booted into Safe mode, beeps.
Run all kinds of HP diagnostics, nothing appears to be wrong. Imaged the contents to another EliteBook 9480m laptop. It does not beep.

Back to the beeping laptop, uninstall any HP software (It was a fresh Windows install). Still beeps.

Tested the beep character at the command line, it sounds different. Tested the beep through the sound card, it sounds different. It sounds like a BIOS default beep.

Disable the Beep device and the sound card. Still beeps.

Started to listen to where it was coming from, there are no speakers near there.

It was the hard disk. If you listen very carefully you could hear a short mechanical sound and then Beep. The beep sounds so much like a BIOS beep, we were totally onto the wrong track. Does the hard disk have a tiny speaker ? Doubt it. I suspect the arm in the hard drive is making a noise that sounds like a beep.

how weird.

Now I look online knowing this and find many others point to the hard disk.

I guess after the fact, it is always easier to google and find answers, knowing the final fault 🙂

 

 

Tags: , , ,

Exchange 2010 EMC not opening “The WinRM client cannot complete the operation within the time specified”

When I open the Microsoft Exchange EMC on a server, the following error message displayed.

Initialization failed

The following error occurred when getting management role assignment for ‘domainname.local/MyBusiness/Users/SBSusers/Administrator’:

Processing data for a remote command failed with the following error message: The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled. For more information, see the about_Remote_Troubleshooting Help topic.

Click here to retry

There are no additional errors in the Eventlogs. The server is running Exchange 2010 SP2. No proxy configured. Windows update is up-to-date. Windows firewall is off.

Exchange is still functioning but there is no management of the service.
The first lead I found here, suggested antivirus.

https://social.technet.microsoft.com/Forums/exchange/en-US/a675a48e-75a3-43c7-b99b-ec86527adb1d/emc-initialization-failed-with-winrm-error-exchange-2010-sp2?forum=exchange2010

As the site is using Trend Micro Worry Free Advanced, I opened the TMWF console, created a new Server container, dragged the server into it from the old container, refreshed the client on the server and can now access the EMC.

Now that I know what caused it, looking over the Trend Knowledge base reveals http://esupport.trendmicro.com/Pages/Unable-to-access-Exchange-2010-Management-Console-.aspx

The issue of not being able to open the Exchange Management console can occur when there is no Internet Connection after a server restart.
This can affect any server coming up without an internet connection as the default configuration of the virus software on the server is configured to look at the internet before allowing connection to the EMC
You can change this behaviour by following the steps in the Trend KB article.

The issue occurs because the Proxy hooks the Exchange 2010 management console query URL and it fails to get score from the Internet because there is no connection.

To resolve the issue:

  1. Ensure that the Exchange Server has Internet connection.
  2. Log on to Worry-Free Business Security (WFBS) web console.
  3. Go to Security Settings > Add group.
  4. Under Group type, select Servers.
  5. Specify a name for the group.
  6. Click Save.

Note: The created group will have the default settings if the Import settings from group check box is unticked.

  1. Disable the Web Reputation and URL Filtering feature for the newly created group.
  2. Go to Security Settings, then select the new group.
  3. Click Configure.
  4. Select the Web Reputation tab and unmark Enable Web Reputation for In-Office and Out-of-Office.
  5. Click Save.
  6. Select URL Filtering and unmark Enable URL Filtering.
  7. Click Save.
  8. Move the Security Agent of the Exchange 2010 Server in the previously edited group.
  9. Go to Security Settings and select the server group where Exchange Server 2010 is listed.

Note: This step refers to the Exchange Server Client/Server Security Agent and not the Messaging Security Agent.

    1. Drag and drop the selected Exchange Server to the group you created.

 

Tags: , ,

New Encryption Virus: Ransomware : CryptoWall v 4.0

WARNING: New very dangerous virus that can cripple your business
 Summary of things to do:

 

  • Don’t open attachments in emails you are not expecting (at work and home)
  • Pass this warning on to others, teach them the same practices you follow.
  • Do not visit websites you do not know or trust
  • Do not trust Word (Doc), Adobe (PDF) and other email attachment files
  • Do not forward unusual emails onto other staff members
  • Do not ignore weird popups or things that are running slow or behaving a little “strange”
  • If you start finding files on your system come up as “Corrupt” call your IT!
  • If you start seeing files on your own machine, that are having their names changed or can no longer be opened, unplug your machine from the network immediately and call your IT
  • Make sure you have a backup that is removed from your network daily. It must be powered down and not plugged in. (Dropbox, SkyDrive and the like do not count)
  • Ask your IT to block .JS, .CHM, .EXE and other known attack files from coming in via email (if you have this feature available).

 

A new Ransomware dubbed “CryptoWall 4.0” has been found.
This new virus circumnavigates current antivirus and has new Features such as Encrypted File Names.
CryptoWall continues to use the same e-mail and website distribution methods as previous version.  The samples we analysed were pretending to be a resume inside a zipped e-mail attachments.
These resumes, though, were actually JavaScript (.JS)  files that when executed would download an executable, save it to a temporary folder, and the execute it.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.  From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

We have passed along a sample of this virus to Antivirus companies and they are working towards a solution.

This virus first reported on the Bleeping computer forums
For those that want more technical detail:
When installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair.
It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.
Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

 The more people you pass this blog to, the more you can help stamp out these types of threats. Reducing the likelihood of this virus being triggered, reduces the virus writers payday.

 SAVE THE DAY, REDUCE THEIR PAY DAY!

550 “Sender address is invalid [route]:”

A quick look on the internet shows an increasing amount of people reporting an error 550 “Sender address is invalid [route]:”  with bouncing emails. This is new as of August 2015. No one knows what the error means.

It seems for Aussie clients with this recent issue, the likely fault is with TPP Wholesale whom upgraded security/mail filtering on their network and they are now aware of the issue and are working to resolve for multiple clients.

They have old webmail service lines / interbnal routes existing in Webcentral accounts which is creating conflicts.

Webcentral, MelourneIT, TPP etc are all now the same company.

If you need this resolved, contact TPP.

Tags: ,

There is a new virus and I found it ….. TROJ_CRYPWALL.XXRS

I am as proud as can be. I found an unknown virus and my company was instrumental in it being included in new detection routines as of 23rd June 2015. I am proud to be helping keep the IT world safe, a world I work in everyday and have helped create.

The virus is not named after me but it is my claim to 5 seconds of fame. Now …. to put it into extinction. It has to go. It is a Crypto and dangerous.

I saw several of these viruses arrive in my inbox, with different subjects and senders names. The one common thread was a malformed attachment. Example name “check[1].zip size=16877”

(Contains 6d5770fd.exe(221184 bytes))

If you rename the attachment to a zip file, you can see the exe payload.

An example email:

From: bmack
Sent: Wednesday, 23 June 2015 12:28 AM
To: Michael
Subject: Hope this e-mail finds You well.

Good day!
Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 6489-245 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 495-70-75. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

If you see one of these, update your Antivirus. Delete the email. Don’t play with it.

Now, if you find something odd and your antivirus does not detect it, feel welcome to contact me. I will get it to Trend Micro whom will pull it apart. Once they have worked out how to detect and remove it, they share their info with other Antivirus companies. In the end of the day, everyone of these we knock out, get’s us one step closer to holding back the tide of these things.

Tags: , , ,

Be careful with Telstra Business Bundle plans (e.g. the DOT plan)

We have found that we unable to install SonicWALL firewalls or substitute modems using the Telstra Broadband plan known as DOT.
(Refer the plans http://www.telstra.com.au/small-business/bundles/dot/ (Digital Office technology – DOT) and clients are a Telstra.direct.net broadband client.)

Telstra provided a Cisco SPA504G VOIP handset, Netgear DEVG2020 (ADSL modem, router, PSTN, Wireless etc.) with most of the settings blocked from view. (Customised firmware).

The client does not need the Cisco handset but needs a SonicWALL to SonicWALL VPN setup. I could add a Bridge in place of the DEVG2020 and get line sync (13mbit/1mbit) and I could set LLC PVC 8/35 and PPPOE on the SonicWALL but not raise the PPOE connection.

Basically Telstra have admitted (after 3 months and after many phone conversations) that whilst the connection is PPPOE and should work, it would not work with any other router or modem as it is bound to their provided Telstra hardware to make the Cisco phone handset work.

I asked them if we could revert the account back to normal DSL and remove the Cisco handset and they said changing the plan amounted to breaking the 24 month contract.

So, if you want normal DSL or to use your own equipment, don’t get this plan.

Tags: , ,