Messages

251

General Software Discussion / Re: Processes and/or folders to exclude from malware scanners for Exchange email

« on: May 23, 2015, 10:36 AM »

Thanks for the quick response Ath.  The answer is that this is what I have been doing but it isn't so easy with Exchange.  If you have used Office 365 you may know what I mean.  The actual exchange servers that handle YOUR specific email are hard to pin down.  There are way of finding it but in tests I have run when connected to different ISP's i discovered that the servers are not always the same servers.
But my original efforts went exactly through the processes you mention.  And YES, it does work .. to an extent.  It depeneds on whether or not the servers you pass-through are the ones in use at that point in time.  

Just like i found out (belatedly) that what you THOUGHT was your real email address isn't.  It is more of an "alias" for some lengthy and weird "xxx.netorg.xxx@abunchof otherwords.net" or some similar.

( found that by accident too)  While the email address as you type it does work, it isn't the one that is used to route the email.  And even this varies depending on whether you own your own domain or are using he normal [email protected] etc.  

Anyway, your link is the doorway to the solution.  If you could figure out what parts of what to use there, I believe it could be done.  The fact that the One Module that causes all the problems is the Active malicious website protection is just plain odd.  So far i did the piece by piece ethod as you showed and as long s you get all the right ones in place, it does work.

I am totally amazed that the whole setup  (IE:  OUTLOOK EXCHANGE not  MBAM)  works as well as it does.  It looks like something that has to be a 4th generation iteration of software that was written by computers, tested by other computers, and had multiple generations of improvements by even more computers.  I am not sure a Human could actually follow the logic

Yet, Work it does and at speeds that are hard to believe.  less than 15 seconds from hitting send on my end to hearing the "ding" on your smartphone (or whatever .. it doesn't seem to matter what you send from or what you receive on nor where in the World you are located.)  Sure beats the Old POP/SMTP by Miles!  We  ran multiple tests trying to see if there was any combination that would NOT get that kind of performance but it all did!

252

General Software Discussion / Re: Processes and/or folders to exclude from malware scanners for Exchange email

« on: May 23, 2015, 10:03 AM »

ATH:  Yes! You have it!  Bought and paid for and I did all the "right things", checked with THEIR tech.  Searched THEIR boards.  Found other people with the exact same problems.  And I DO mean "EXACT Same problems"  and these people also found the "exact same solutions".  The odds of this being a  coincidence are just too high.  I have never been  a believer in "coincidence" when life is full of "cause and effect" situations.  Some of them even posted that they could see where there are other posters with the same problems.

Sure, sports papers love to print the stories where some 80 yr old  'duffer' hits a 'hole-in-one' on a par 4 shot on his first swing of the day but there aren't courses where that happens to multiple aging golfers on the same hole in less than a year.

This is a real 'cause and effect' and MBAM refuses to say what part of their software has any effect on the way Exchange servers work.  Because this loses them sales, I believe they either really don't know' ..... or... they wont tell anyone due to proprietary methods.   I have seen them get people to go off into private chats (on a couple of cases) and the people are probably sworn to secrecy after that.  Maybe they given them a free lifetime subscription.  (now TRUE "paranoia" pokes out its head  )
If it IS the active Malicious website detection (which most of us who found this problem have narrowed it down to) they won;t tell anyone as they would not want to be telling any of their clients to "Turn Off" any of their protection

I can also see this having to remain a well kept  secret to avoid the information falling into the "wrong hands" and being used to create a work-around to avoid the very module that currently protects those it works for.  That is why I said I don't really expect to get an answer because "This is the World we now live in".

But if i don't come up with something then we are buying $1000 ever year worth of useless software.  No one runs it because they cant depend on the mail being on time and reliable.  In our business they "eat and breathe" email.  They would go without Anything Else just to be able to have that one thing work.

Since all posters are essentially anonymous except for contacts through the board, there is no way I can ask Any of the other people if they ever solved their problems.   I can only try to connect to them "Through" the board and my posts to try to reach them are removed for "non compliance" with board rules.

About the only thing i got out of their "help" was finding out that an old Windows 7 system that I dug out of the scarp pile had some kind of "hacked" software on it.  They never said what, just told me that was the end of their help.  I guess that is nice to know except the laptop in question was a junker that is the only thing laying around i could just "play with".  But when they start telling me to "turn off all antivirus protection and such and run a bunch of software tools I have never heard of....  I am sure not going to use anything I might need again later.

I guess a lot of people are more desperate than i am because a lot of them actually do it.  I, on the other hand, spend 30 minutes or more researching the "tools" they want me to run (Run with my AV disabled etc ) to create these lists of "possible problems".  I wasn't the only one who complained about that either.

Oh!  And the option of NO Mal-ware scanner isn't a workable solution.  They DO use the Internet a LOT and DO download and runs apps.  If I could get MBAM to NOT scan the email at all BUT work on everything else, that is exactly what I need to do.  This is exactly what I asked for but cannot get a working reply.
If the people who get a "bug" do so from opening an attachment from some Lawyer in Nigeria telling them they need to collect their money...
Well, i can live with that and they deserve what they get.

253

General Software Discussion / Re: Processes and/or folders to exclude from malware scanners for Exchange email

« on: May 23, 2015, 03:25 AM »

What I am looking for is Specifically what should i exclude from being scanned by Malwarebytes.

 I hate being BRAND specific when complaining but there is is.

Good Old MBAM  Been around forever and probably the number one Malware program worldwide.
Many people have posted o their forums the EXACT symptoms i posted.  They each get blown off by one of the Moderators too after they have them run exhaustive scans with multiple no-name scanners and then proceed to tell them everyting else that is wrong with their system totally ignoring the fact that the User point blank explained to the techs that removing or disable their product (Malwarebytes) solved the problem.
End of story

My case is identical.  There are several more exactly like my own and each got blown off with such poor attitude that it makes me want to dump the product line. They have JUST NOW renewed about 30 licenses and if i can get those refunded I am at the point where i would gladly do so.  
They must have some competition who works just as well but has a better view toward supporting their customer base.

I am not usually so blunt but these forum techs spend more time looking for excuses as to why their products don't work than they do trying to solve the problems.  Once they hook you on 'Auto-renew' you are stuck.  This time the product is broken for more people than just me so i need to stop wasting time trying to fix their problems and find someone else with a product that works  No one stays #1 forever and MBAM had lost their edge IMHO!

254

General Software Discussion / Re: Processes and/or folders to exclude from malware scanners for Exchange email

« on: May 23, 2015, 02:04 AM »

I seem to always not explains things in the proper context?  We don't HOST an exchange server.  The issue is that all Outlook 365 email DOES go through Exchange Servers maintained by Outlook (Hosted Exchange).  It is my understanding that they Do scan for and remove Malware (or at the least various malicious processes that are know and can be scanned for) as i can easily see in the headers of the emails that  they were scanned and found to be clean.
(I presume if they are NOT clean, they are simply not allowed through?  I never see a header saying "This email was found to be infected but MS decided to let it go through anyway in case you wanted to be infected by it."  

That being the case, my issue is simply that USERS (even Me) constantly find that they have  message at the bottom of their Outlook Screen saying ".Unable to Contact MS Exchange Servers."  No further explanation given.  This message remain on the screen for up to two hours during which time it may flicker from trying to send to trying to receive to the Unable to connect message.  At some random point in time, this will eventually solve itself, the server connects and all the email that has backed up for the duration of the Unable to connect time span will suddenly flow through.  There is no information given as to why it stopped no why it started back,  No errors listed and it has nothing to do  with internet connectivity.

I have proved to my own satisfaction that it is the Malware scanner that is blocking the Exchange interaction.  Turning it OFF immediately solves the problem.  And does so instantly and without fail.  Nothing else does anything to help but switching the Malware protection to OFF immediately solves the problem.

The reason for my questions is that I must find some way of keeping the protection ON but not blocking the email.  It is that simple.  While i would be very happy to know WHY at this point it is a matter of everyone is turning their protection to OFF and leaving it there so that their email works.  Just as odd are the random few people who do not seem to have this problem which rules out the issue being 100% the Exchange servers, the OS, the email program etc since they ARE all the same.

I have found a few people who mentioned that removing the Malicious Website protection module worked for them but I cannot get anyone at the software company to confirm that this is a good idea.  And I can certainly see why.   When i do find out what works for ME I also would be afraid to "recommend" the same for anyone else.  It is sad that this is the world we live in but it is what it is.  No one wants to risk being wrong.  Better to let each one struggle with their own issues when it comes to things like Malware etc.

One man's Vaccine is another man's Plague.

Still, I had to ask.

Stoic, ( and others)  sorry if my wording led you astray.  we are way to small to host our own email.  We used to but it is no longer practical.  The only hosting we do are a small private web exchange and another small private SQL DB.  the only Server OS in the House is Server 2008R2 for the SQL DB.  All the problems are on Laptops connecting to the internet for Desktop installs of Outlook Exchange Email.

What I am looking for is Specifically what should i exclude from being scanned by Malwarebytes.  Turn it OFF and the mail works, turn it ON and the mail gets flaky.  This Off and On is on the Users (client) systems.  I have no  control over what Microsoft does at their end.  I just would rather not have the users completely turning Malwarebytes OFF, ...Even half "on" is better than NO "on".  I guess I can always just tinker with the options until I hit one that works for us.

Thanks for the list "x16wda" but i imagine that it would apply more to cases where someone was running an AV or Malware program on the "SERVER system" that hosts the Exchange Email not on the Client side which is all I have to deal with

255

General Software Discussion / Processes and/or folders to exclude from malware scanners for Exchange email

« on: May 21, 2015, 07:32 PM »

I have asked the vendors themselves and gotten almost nowhere.  They usuallytell me to run half a dozen other pieces of software some of which i have never heard of and post on a public forum the results of these scans.  This does not sound very secure or give me a lot of faith in the abilities of the software involved.  It is like those programs that say "Turn off all AV and Mal-ware programs before installing"

Isn't that exactly what a virus or Mal-ware would want you to do?  I can understand the need in some cases but the logic behind the statement that is as if '  Of course you should never use an Antivirus or Mal-ware program before installing OUR software .  Trust us! '  This ongoing issue is creating a serious problem with our email in Exchange 2013 but the same protection software has worked so well for keeping us free of threats that I am hesitant to dump it, yet cannot get any assistance in what needs to be excluded for the mail to get through.  

Has anyone else seen this problem and found any working solutions other than getting another product which may not work any better and could be far worse.  I do not want to be "brand specific" but we all have the same two pieces of protection software and turning 'ONE' of them OFF is >Always< the solution.  It isn't the AV software either so that narrows it down a bit.  If I have posted before about this, sorry to be a repeat offender  But the problem won't go away and there are too many people for me to just remove it from everyone even though doing so is an instant fix.  

256

General Software Discussion / Re: Dumb question but maybe somebody knows how. Probably a form of Sync.

« on: May 21, 2015, 12:16 AM »

Yeah.   Probably not an off the shelf issues for sure.  I already posted the first road bump.  Encryption.
Some of these files are copied direct from old server drives.  The old server 2008 R2 (and maybe even server 2003) had cases where the files ended up with EFS encryption but when the drives were pulled no one bothered to save the keys.
Because of the fact that I have all these drives from many years to work with I found that eventually I can find the same file somewhere with no EFS.
But:  In any case where an encrypted file (even if it is one with a zero file length) syncs to the same location of files that are NOT zero length, the EFS files always get kept instead regardless of date or size.  They cannot be overwritten either so I cannot go back.  EFS wins all the time.

If you take a look at my other post about this you can see a pretty nifty script I came up with to look for and make a list of all zero length files on the entire hard-drive.  And surprise !  it works    and just one line too.  (or two lines in batch)

My reasoning was that most of these EFS files had no data because of their lack of keys when copied.  They names are there but no "size".  The script did a great job and even located a ton of trash I can remove but.. It did not find all the EFS files or even close.  Many of these files turn out to be inside whole EFS folders.  So .. I next needed a way to search for Only EFS files regardless of size and that turned out to be a little harder.
Apparently, the fact they are EFS makes them somewhat invisible to many search utilities.  That encryption flag is apparently not so easy to locate or make notes of the path to the file.  

On several sites many SYS admins point out that this is a critical "first thing to do" when working with old data servers becasue of this.  Early EFS setups can easily be transferred forward onto new drives without their keys and apparently all it takes is to put a regular file into an EFS folder and the flag gets set for the file.  So the users unwittingly makes their own files unreadable.  This seems to be an inherited permission though I have not tried so hard to find out, I just want to get this over with.

If someone knows the correct "tag" to use instead of file length, i could just plug it into other script I have and get the same list of EFS files instead of Zero Length files.  End of problem.

257

General Software Discussion / Detect and list all files with windows encryption enabled

« on: May 20, 2015, 05:52 PM »

This is part of a project that is gradually getting done that to the help for several nice DC Posters.  Due to problems that came up on during the project, I need to locate a method of recusively searching files for a specific property.  At first, I had thought the file length could be used and to that end came up with a simple one-liner which can scan for and make a list  of all zero length files.  Unfortunately, not all of them are zero length.  
The problem is (was) "Windows encryption" which had been used apparently at some point on many of the files which makes them impervious to overwriting by non encrypted versions of the same file whether it is newer or not.  
I have decided my only choice is to locate them all in advance, copy the encrypted versions to a new sub-folder which will then allow me to copy the unencrypted version into the vacated sub-folder.  This is important because the location of these files has to remain as it is but the encrypted ones have no keys (or if they do I doubt anyone would know where they are) which effectively makes them worthless.  I need to find them and move them out of the way to make room for copies of the same files and folders which are also on other disks in their unencrypted format.  
Some of these files showed zero length and I had hoped they would all be such.  Unfortunately this was not the case.
If it is of any use to someone here is my version for finding Zero length files and copying the names to a list.  I am not sure how to edit this to scan for windows encryption though.

Code: Text [Select]

1. @echo off
2.    for /r %%F in (*) do if %%~zF==0 echo “%%F” >> zerobytefiles.txt

This was written for use in a batch file and could be modified for direct entry by removing the extra %'s.
4WD  I expect you will knock this one out of the ballpark?

258

General Software Discussion / Re: Batch PDF printing

« on: May 20, 2015, 05:37 PM »

Not sure if this applies or not but I use the bullzip utility which is free for home use.  Has no whistle or bells but has always worked and so easy to use i find it hard to replace. Get at bullzip.com.
be sure to look carefully for the community version' which is listed far down the page as some of the other options are free trials of their paid for product

259

Living Room / Re: Microsoft Surface Pro 3 8GB I7 256GB SSD

« on: May 20, 2015, 03:51 PM »

have you had to do a lot of firmware/software updates>?  I have not seen bios updates yet but MS just put out a bunch of firmware updates a week or so ago and said they were to fix problems with overheating (among other things).  All in all, though, i have to admit they worked pretty well even for the most i could throw at them

260

Living Room / Microsoft Surface Pro 3 8GB I7 256GB SSD

« on: May 20, 2015, 12:39 PM »

Has anyone used one of these for any length of time?  I am looking for honest opinions and not marketing glib. 

Already had to get them like it or not but wondered if I should expect any issues with overheating due to size and such.  I was kind of surprised to see that they come with tiny cooling fans (of some kind) in a true tablet form factor.  Don't know why MS didn't bother to make the keyboard (Type-cover) out of a Lithium Polymer so it could serve as an additional battery source.
As a side question, I need  to locate two fire-engine red "sleeves".  I searched Amazon and found quite a few but can't "road test" them all.  In this case, the users want light-weight more than "protection" from damage as the are "upper management" and live out of airports (more or less) spending more time in the air than on the ground.

The red color to match the Type-cover is probably just as important, it has to be a close match.  And needs to be more of a velvet pouch from what I can get out of the people they were purchased for.  Sad     This is the where the world of tech has gone..   Fashion sense matters most now   

Opinions of what to expect would be appreciated as I will be the one who has to keep them running with remote support if they choke-up 1000 miles from home.   I just hope someone here has had one for a while.

Mfr websites to this day still post intelligent things like "In case of system lock-up to first remove the battery ..." !!  I have seen this advice posted on almost every site from HP to Toshiba even though they know the battery in those ultra-books can't be accessed without  a can-opener!

261

General Software Discussion / Re: Dumb question but maybe somebody knows how. Probably a form of Sync.

« on: May 20, 2015, 11:20 AM »

Thanks to you both for such quick answers.  Tomos, yours as displayed would probably work and i working with drive copies for the first run.  If it works, i have maybe 30 backup drives to merge into a single drive with the most relevant data so i will know for sure after the first run and can't hurt anyway.
I have never used either program so will try both.   With hard-drives cheaper than backup tapes used to be this is just how they have been doing it to provide failsafe redundancy but after 5 years i need to get this all onto a single new master copy.  I don't trust 5 year old hard-drives all that much.
almost forgot, do either "clean up" the original?  The reason for the cleanup is so there is no doubt that something was done with everything.
I cn';t see any instance (other than an immovable file) where it could be left over on the drive D:.  If it does as it szhould D: shold be empty.  I can do a lowlevel format and check for any glitches.  If it is one of the newer drives I will keep it in rotation.  Those 3 years or older though get "shredded" (hard to believe you have to shred a harddrivethese days    . 

But such is the world of the "future".  I can't wait for the 3d-printable hard-drives to comes out  .  Then maybe I can just burn them after use

262

Living Room / Re: New Virus or ??

« on: May 19, 2015, 05:56 PM »

LMAO!  Thanks Stoic.  On most of this I just happen to think in odd ways.  I can't take credit for this new disaster but some of the other stuff is just me thinking WHY are "people" still having to do things like this.
Part of the answer is 100% your are corrct.  How many busineses these days have a antique "workstation" environment.  Makes me want to cry.  ... Or laugh>?  Life is what it is.. either roll with it or get rolled over by it.  I try to think outside the "box" and sometimes... I wonder about my own sanity.  They say that means you are OK.  As long as you have doubts about yourself,  you are fine.  Though that sounds a little odd on the face if it.
I was thinking about asking Mouser if there was ever any more thought given to making the contents of the entire Forum available for search and download.  I have seen so many things here that I see nowhere else.  I would archive the whole thing if I could.
Who needs Google?  Just search this forum and  "All Questions Shall Be Answered; All Secrets revealed!" 

263

General Software Discussion / Dumb question but maybe somebody knows how. Probably a form of Sync.

« on: May 19, 2015, 04:14 PM »

Best Program or method to:
Copy all files from a location on drive D: to a location on drive E: with the following conditions:
If the file already exists on E:   AND   is newer   OR       larger   than the one on D:     Then the copy on E: is left in place left in place and copy on D: is deleted.
Otherwise the copy on D: is Moved to E: and overwrites without asking.
 
Sounds simple but I cannot find the right combination of switches to do the either or part
This should end up merging the two locations onto the E: drive location keeping the copies that are either newest or largest regardless of where they are.
The reason for this is that there are some newer copies of the same files that are from zero to 5 bytes or so in size created in error.  Need to keep the larger copy in that case even if it is older

264

Living Room / Re: New Virus or ??

« on: May 19, 2015, 04:08 PM »

Sorry I have been in and out .  Things are getting better here but in answer to a ferw questions>  Yes, the systems did reboot. Quite obviously, if for no other reason than people rebooting them but many hit a point where they rebooted as files to stay running were deleted.  Sorry for not mention that specifically.
As for the Desktop background, there is plenty of mention of that in the "padding" used to "hide" the actual virus.  They said that there are a lot of real files such as deskrtop backgrounds etc that are mixed in with the virus in order to increase the size of the file so that it can escape any searches for those "small files that look suspicious".
While I have no "proof" it was Rombertik, (and to be honest really don;t care or ever want to see anything like it again) I can say that whatever it was, it left an indelible mark, probably for the best.
And Yes, Stoic, you are correct.  But that won't change and that is the way it is.
This is not a domain, it is a work-group and just about anybody can do as they Darned well please which bugs me no end but...They will learn when the day comes that some file clerk wipes out the whole business from a YouTube Download.
Until then, my job is to try to hold things together as best as I can.
Thanks for everyone chiming in.  All knowledge is worth something.  We still have no idea of the original vector forit other than SOME of the people who got hit got a couple of odd emails.  
But some people who did NOT get hit also got some very similar.
None of the emails contained any attachments and all were stamped as being scanned by the MS Exchange Servers and found clean. (even though the language used in them was anything but)
I was reading my own posts and wanted to clarify this.  In the early stages we did suspect email to be a source but now I think the email was more of a symptoms than a cause.  It worked much like a hijacker virus would and the effects were so "directed" that you could almost feel someone else in the machine watching each User freak out!  I can imagine then that this would not be so impossible and someone Could have actually been looking on through the webcam.

265

General Software Discussion / Utility to allow keeping only the newest copy of several files on a drive

« on: May 14, 2015, 09:16 AM »

This is a little difficult to explain and currently i get it done through the use of several different programs. 
One a number of old backup drives, i have multiple daily backups of entire directories of program files and folders along with the data used by them. 
What i need is a way to extract all of the files of certain types and of those files, remove all but one (the newest).  Everything else can be deleted leaving me with a folder full of nothing but a single copy of any specific file and it being the newest version.

the drives are all full (smallest is 500GB largest 1TB). 

The files to be kept are specific extensions like .doc  .docx  .pdf  etc.    At this point, all of them will be document types, though the use of audio files is in the works.   I have been doing this in steps using one extension at a time to find all .doc for example and move them  move them all out to another folder. 
The second step is removing the duplicates created when i do this as each file was backed up once each day sometimes for months making 60 copies of that file.  Because the backups were done on each directory at different times i have to deal with each drive as a whole and cannot just find the newest copy of a single directory.  Even if i could , i still need to be sure i only keep the last version of each file and this could end up being on a different drive.

In theory, for the reason they are kept, I do not need to keep the actual "path to the file"  as: C:\a\b\c\d\filename.  This same path including the filename exists once in every backup
But having that information could be of some use one day as it is possible that a given file could have been used in one project and then restarted in another.  The project names and other information is in the path.  But i was only asked to worry about the files themselves.
I have tried various duplicate removers with each offering some advantage but nothing i have found can do the whole thing in one step.
To make it even harder, each path would have probably 15 or more files in it and keeping the full path name attached to all the files would also be wasteful and cumbersome.
the ideal would be to end up with the latest versions of every file that exist in each path kept and all others discarded.

C:\a\b\c\d would end up with 1.doc, 2.pdf, 4.txt. 5.docx (example only most of the files are pdf's)  That would preserver the path to give the logic of why the file was there to start with.
As it is, that same path including all those files exists multiple times and in most cases the files don't even change but in some cases they do or i would sort the whole mess by "date of path", keep the newest version of the data directory and be done with it.
However, doing it that way would also end up omitting a lot of documents that were deleted during the term of the project and they want to keep all that were ever in each one even if it as deleted during the term of the project.

As I said, the path is something i think will one day be an item they will wish they had kept but all i was asked to do it keep all the documents, just one big pile of them.

Thanks for any ideas.  There are at least 20 more of these drives i have to reduce to the newest single copies of stored documents only. The rest all gets deleted and the drives reused.  I am probably approaching this with tunnel vision and there must be an easier way.

266

Living Room / Re: New Virus or ??

« on: May 14, 2015, 08:42 AM »

Lots of good posts.  I plan to look at each as we are still in the dark other than e know it was something and that whatever it was, it was as close to having some kind of AI running the show as i have ever seen. 
Depending on too many variables it seemed to do different things.  It also seemed to be tied in with multiple other "bad guys" such that oven when whatever the main threat was gone, there were many little things left laying around. If it was not Rombertik, it had all the earmarks.  The weird background was probably part of the "trash" that is loaded into Rombertik in an attempt to obscure the Malware. 
I can tied a few odd events that occurred to each of the people affected but there were people who also had those same odd events who did NOT get the "Full Monty" treatment.
For the time being, it is now using up more of my time trying to be sure it is GONE and not just HIDING.  Once goingthrough an experiencelike this it leaves you feeling almost like there is no point in trying if there is no way to win   I know the AV software companies probably have this one under control by now. At least we have not had any further issues so I hope so.
I even understand their reasoning behind each one giving the same virus a different name.  But that same reasoning makes it nearly impossible to know if a threat removed by the AV program now is the same threat I was dealing with a few days ago.  It is hard when they ask for a "sample" yet I don't even have a Vector at this point, much less a way to contain a sample.
By the time i THOUGHT i knew what to look for, it appeared to have morphed into so many varied forms and types of damage it honestly was easier to just reformat.
And:
Even then, I can't be sure.  Reformat to Factory?...   maybe.  As long as it hasn't infect that sector too.
With Windows 8.1 having no external media that i can be 100% sure about, and with the license codes embedded in bios, there is only so far you go.  When all seems well a week later it could be just because the AV companies had finally gathered enough evidence to add a specific marker to their signature files so they catch it before the damage is done.
Thanks for all the comment and if the discussion itself got even one person to be more aware of their vulnerabilities it was worth it.  Those who got hit lost every file they had.... One way or the other.  If the virus did not get it, i had no choice but to scrub anyway because i could not risk that it might be hiding there.  Anyone displaying almost any of the symptoms was a suspected carrier.
If nothing else, i learned a lesson in humility.  It is easy to play Monday Morning Quarterback but when you are in the game while the ball is in play, things look a lot different.
And i hope the employees learned to make backups.  NONE of them, not a single one, has made any attempt to keep anything now for years.  Worst of all, they use their desktops like a filing cabinet and no amount of pushing on my part has made even a dent in that practice.
It doesn't help that Windows has made it nearly impossible to "restore to 3 days ago" instead opting for a more useful (but far more complex) method of "version per file" which requires an additional drive and by default is set to OFF.
Because NO ONE here has made the final jump in user interface, all of them preferring to keep their old Windows 7 layout through various utilities,  it left most with not even a chance of recovery if affected.

267

Living Room / Re: New Virus or ??

« on: May 07, 2015, 04:21 PM »

Stoic:  No, just the one work of F&CK.  but that is, to most of the girls here, a little over the top but not so much as to be Outrageous.  They all know what it means.  It is just unusual to get emails like that other than as SPAM which is what we considered it.  Lately, though, since our switch to Office 365, the amount of spam has gotten so low I had forgotten it existed.
The description that you will find when searching for ROMBERTIC fits it to a "T".   100%.  This is something so NEW though that even the Googled articles on it I can find few that are more than 4 days old.  While i cannot "see" or locate the Virus/Malware itself. I do know where to find it.  It is  in an email she got.  Not sure which one but it is there for 100% certain.
We loaded a new system, new everything, new AV and new Malwarebytes New Office 365 etc.  No problems and all was well .
Until she checked her email.
We had her go back to last Friday (the first evidence of anything) and just open and read her email from Friday till now.  No replies.  No opening attachments, Outlook was set to BLOCK HTML.  Every safety margin was at 100%.
Within 30 minutes or less of her starting her email, the first thing she say was Malwarebytes begin to UN-install itself.  Like a normal uninstall showing the screens of the program being removed etc.
Next was AVAST.  Same ritual.  Finally Office went through its own removal.  This laptop had nothing else on it.   It worked perfect until she loaded her email from Outlook Exchange Server.

268

Living Room / Re: New Virus or ??

« on: May 07, 2015, 04:11 PM »

OK,  Here is all I have to add.  Maybe someone has heard of this or can give me a hint as to how to even look for it.
The current most likely name is "ROMBERTIK"  It is an extremely malicious family of Malware that seems to be mostly in Europe

269

Living Room / Re: New Virus or ??

« on: May 06, 2015, 02:24 PM »

Shades:  I am as sure as I can be of anything.  There are some new indications of odd behavior though.
This is 100% for certain NOT anything they deliberately installed.  The system is one they have had in use for several months but not even a year yet.  It is an ACER laptop.  It had Windows 8.1  Office 365 etc.  No other odd items of any note.
The background she had was one she picked from somewhere long ago.  It is pictures of a Buddha statue in a jungle surrounding (this is as best as I can remember).
Last night it stayed connected to my network as i worked to find the problem (though i did take all my own systems off the network    )

I found nothing odd.  Except for the fact that most of her software was gone.  Office 365 was gone completely.  Adobe Reader was gone.  Several software programs she uses at work were gone.
AVAST was NOT gone but Malwarebytes WAS gone.

(Note:  By GONE I mean that there was no trace of it ever being there as far as I could find.  Not in recycle bin not anywhere  not even as a Hidden system, file  I know how to "see" everything and they were not there. )

Today, my intent was to ask her if any of the documents files (which there were still some even though they looked odd since they had no icon associated with them and normally people cannot sec .doc or .docx or .pdf.)
the only Icon was on PDF's due to Windows now having a native PDF reader of its own.

I came in today preparing to ask her to tel me which of the files she wanted me to move off the drive so i could begin a complete format.  As she was looking through the files,  Her OLD DESKTOP BACKGROUND of the Buddha came up!  I do not know from where it came.  I had scanned the computer already looking for it but I was not sure of the name.  Nonetheless.  It was there.
This was a minor victory to her but to me, It was just another reason to worry.
Withing 5 minutes or less.  The DELETING bar popped up and deleted what few files were left.  I had interrupted this yesterday when I Powered down the system.
Now the rest of the files are gone.

My biggest concern at this point is that the only difference between last night and right now is the network it was connected to.
I had scanned it with Sophos, Norton,  and every other scanner i could find and come up with nothing except 1 listed a " Mal-ware.gen."

If the action of DELETE  began after she got to work.  But NOT while NOT at work, i am very concerned that whatever this is, it is a Mal-ware that exists somewhere on the office network.  The fact it had chosen to affect one person ... At this time... does not mean it wont be another one later.  I am currently running deep level scans on every system here but they are all interconnected on the office network in some way.  All have current up to date AV's and other forms of protection  even the servers.  (Especially the servers!)

But for her OLD desktop background image to appear for the 3 or 4 minutes it took to delete every other DATA file in her system was extremely odd.  I managed to get some photos of it happening with my cellphone but... That is about it.

I am about to do a forensic exam of the hard-drive removed from the system but do not expect to find any more than i found last night.

270

Living Room / Re: can anyone help me grab these pics

« on: May 06, 2015, 12:05 AM »

Neat trick whatever they use.  I just slicked on Print screen as soon as each came into focus.    That also works with the built-in windows "snipping tool" which has the advantage of saving the picture as HTML or just about any other format.  But the "ding" that I got initially seemed to lock the screen.  The viewed image source is blank.  Wonder what they are using for setup?  the print screen app is free by the way from Gadwin.com and is an excellent tool.  In some ways I like it better than the Windows clippers. Ayryq's way is probably the best but the other work in a pinch.  Just throwing these out there in case you need alternatives,
Nice to see another Nitro user out there

271

Living Room / Re: New Virus or ??

« on: May 05, 2015, 09:06 PM »

SSince it is not my system, i cannot say.  I CAN say that I saw it happening as I watched.  The progress bar was displaying percentage of files deleted and it was moving pretty fast before I Force-shut down the laptop.  Waited a while and restarted.  That was when she told me that was NOT her normal desktop.  There is no new user created.  I gave it back to her and told her to let me know when she found out if anything was really gone.  Before she could turn away, the "Deleting Files" bare came back up and quickly reached 100% before we could do much.
Her desktop has nothing now but the System Icons on it.  However a LOT of her files are still in various folders.  Some programs are completely gone with no trace.  One of these was Office 2013/365.  Not a trace left.  But not the only one and the others are not MS related. 
She was about to leave for Home (5pm)  I got left with the mess.  So far, not a trace of any virus, Malware or anything else I can find using multiple scanners.

Just a Mystery. 

Oh, and the Creepy Cobwebs desktop.  It ALSO deleted itself.  I was able to catch one last glimpse in a screen capture before all traces were gone.  The words in the capture say "Unable to find "creepy co       "  that was it.  The rest of the name “Creepy Cobwebs” was gone along with the error and it ended reading  just like that:  wo letters "  Creepy co    "  the rest of the name wasn’t even there.

No mention of it in the registry or anywhere else.

The only reason I knew the name was because i looked for it while it was there and it showed as a "Theme" which has since complete removed itself.  Because of all that I am a little but leery of even reloading the drive and it is one of the new laptops with the drives sealed in anyway so my only option is "System Restore".  Like it or not/

272

Living Room / New Virus or ??

« on: May 05, 2015, 05:46 PM »

I thought  I would post this to see if anyone has run across anything similar.  One of the people here started getting odd emails a few days ago that were of a type she would never expect.  The wording was pretty "graphic" and appeared to be requesting a reply.  All of our systems have up to date AVAST as well as Malwarebytes.  These emails had no attachments and my advice was to "delete with SHIFT+" for a Permanent removal.

This began 2 or 3 days ago.  Today, her system restarted itself and came up with a new "Theme" called Creepy Cobwebs with a Spider in the middle of the page,  Odd to say the least and not what she had by any means.   Worst of all though was that as soon as that happened a "Progression Bar" appeared on the screen saying the % of files deleted and it was steadily moving across the screen.  By the time she got it to me (only a few minutes) the bar was moving at a very fast pace and all of her desktop icons had already been deleted. I immediately pressed the power and rebooted.

The bar came back up pretty quick and continued to delete files (or so it said).  Whatever it is, it apparently did delete quite a lot.  It also deleted "Some"  but not ALL of her software.  I am not sure why some were spared and others were not.  AVAST still scans but says the system is clean.

Malwarebytes is complete Gone from the system now.  No folder or any trace it has ever been there.

I have seen many Viruses in my day, some worse than others.  But this was pretty absolute in its destruction as everything is gone.  Not encrypted and locked up but completely gone.  The system is almost down to "Bare Bones Start".  Several other programs which were installed and in use are also completely gone with no trace.  This happened with no warning and the display of the progress bar as files and folders are being deleted certainly enhanced the Fear Factor. 

If this sounds even a little familiar it would be nice to know where to start looking before it hits someone else here.  There are a few others who have gotten similar emails but who have not yet been affected to this extent.

I figured someone here may have seen or heard of something like it.  I was only able to  find references to a virus called "Goner" and "Goner-A" but some of this was years old.  Some was from news articles published today.  At this point, I do not even have a clue if this is the same or similar.

273

General Software Discussion / Re: Need an Easy fix for annoying problem with sorting in Windows

« on: April 29, 2015, 10:34 AM »

Wow!  Thanks everyone.  Hit the jackpot on this question.
Best of all, I always treat every reply as a "seed" to find things I did not even know I wanted.
One of the replies (Milesahead I think) mentioned something interesting but I cannot find more on how to achieve this effect.  Getting specific Icons to Blink.
Other effects would work and might be less annoying to some people such as slowly changing from one background color to another or any other effect to make it eye catching.  Once located, I can deal with the rest.  But a quick scan of How To found more on how to STOP the blinking of certain things.  
By the way, all of this is on Windows 8.1  An "Apple fix" wont be of much use .

To be honest, this would be of as much use to Me as to having it available to use while working on another's systems!

Currently I have been doing something similar to Desktop-OK (I am going to look at that program now to see what else it can do).  I believ its name is  desktop restore.  Very small and takes a snapshot of the desktop.  Allows saving more than one layout.

I make a backup of their desktop before starting anything then sort them to get the system icons to where they are by default.  When I am done with whatever I was help doing I just restore them to the way they were before I started.   People are very touchy about "moving their cheese" so to speak

Actually, i would love to hear about any programs apps or methods of modifying Windows desktops as far as Font's and backgrounds as long as they are reversible and the more focused the effect, the better. "Fences" for instance was overkill for most people but being able to simply group a few icons into an invisible box would be great.

Thanks to all for the great ideas.

274

General Software Discussion / Re: Using a batch file to create a hyperlinked png or jpg image.

« on: April 28, 2015, 08:42 PM »

Thanks 4WD.  PROBLEM  OFFICIALLY SOLVED!  Coming from someone who doesn't even use Outlook I would say you did one heck of a job!

I had gathered a bunch of various utilities but had not figured out how to run them  Thanks Very much for the info!  I got your email and it worked!  

PS:  I thought Blat was a Beer Brand?  Doesn't Homer Simpson drink it?

275

General Software Discussion / Need an Easy fix for annoying problem with sorting in Windows

« on: April 28, 2015, 11:47 AM »

This is an embarrassing question to ask as I am very sure the answer is right in front of me somewhere but I never seem to either have time or look in the right place.  I did find a utility to backup and restore the desktop icons but that won't quite get me what I am after.

Windows Desktop normal "Default" sort order arranges the Desktop Icons Alphabetic descending at the start but allows things to be added helter-skelter everywhere afterward.

Some users like to store a 100 icons on their desktop and when they ask me for help it takes forever to locate the ones i need.  Sorting back to alphabetic>descending takes two clicks on sort by name  instead of one.  If I could, I would lock there system icons (the ones supplied by windows) to always be where they start out.  Top Left.
 
So this ends up being two requests.  One for a way to lock the 5 default system icons to always be first starting at top left and second a way to make the sort by name always default to alphabetic descending on first click. 
Both of the answers are most likely out there and easy to find but they are never where i look .

PS:  An additional nice touch would be a way to lock any specific icon to a specific location on the desktop one by one.  Not in groups like "Stardock" does.  Just a simple "Lock it here" with right click option would be Great!