Jim Lawrence
accessd at shaw.ca
Wed Sep 25 13:04:15 CDT 2013
Hi John: Any break throughs yet? Removed a supposed virus protection program that a client had installed yesterday. The client of course denied it and the program was actually a black-mail routine. When I arrived, email was inaccessible, warnings were popping up continuously, the task-manager was blocked as well as access to the command prompt and the only functioning browser lead straight to their payment site and the Microsoft essentials security was disabled. As you would guess the malware was everywhere in the system...in the paths, superseding legitimate apps, every start up spot, all through the registry and so on. It took over three hours to remove and there are still fixes needed but at least the client can now do her work. The best method would have been to re-format and start again but that process would probably have taken eight to ten hours. Jim ----- Original Message ----- From: "John R Bartow" <jbartow at winhaven.net> To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com> Sent: Monday, September 23, 2013 6:48:55 PM Subject: Re: [dba-Tech] Windows Event Log help Thanks, first thing I did. Nothing new. There are software vendors with remote support so I always suspect them ;-) -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence Sent: Monday, September 23, 2013 3:15 PM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Windows Event Log help Hi John: Other than by using observation and/or running the MS event logging there is no obvious way to absolutely identify the culprit. That said, as programs that enact a periodic forced reboot are rare, I would suspect a new application has been loaded on the system recently and I would check the "Add and Remove programs" section and check the Services section and try to spot some app that is unfamiliar and either remove it of turn it off. Jim ----- Original Message ----- From: "John R Bartow" <jbartow at winhaven.net> To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com> Sent: Sunday, September 22, 2013 8:04:25 PM Subject: Re: [dba-Tech] Windows Event Log help Jim, It wasn't a crash. I don't have windows automatic updates enabled. I do that via my RMM via WSUS. I've also run into the Windows 7 Home issue but all of these stations are Windows 7 Pro. Oracle's Java updated to 7.4 but I didn't authorize it and I can't find any options for how it upgrades now. (I can also do that via RMM but I need to be able to figure out how to turn it off on the workstations too.) So I'm trying to do the detective work of which program caused this; WSUS, Java, or something else. Question is how? I thought the event log would be the way to go but it seems to only tell me it shutdown - but not why. John B -----Original Message----- From: dba-tech-bounces at databaseadvisors.com [mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Jim Lawrence Sent: Sunday, September 22, 2013 12:44 PM To: Discussion of Hardware and Software issues Subject: Re: [dba-Tech] Windows Event Log help Hi John: You seem to have a problem with your updates. I (try to) never have automatic updates...they are just too dangerous. The last thing needed is a client's site crashing during a work day. That said, do you have a the full event log or just the dump file? Windows does have events that will over-ride any settings. This happens when an update has been installed and then the immediate reboot cycle has been postponed. The Home edition of Window7 is just such a beast. At one point it will decide, regardless of the settings that some process must be handled...it first prompts how long before boot cycle starts, which can be up to four hours, but if no one takes action within a five minute window, it start a shutdown and reboot cycle of about two minutes. Your description does sound like that. Jim ----- Original Message ----- From: "John R Bartow" <jbartow at winhaven.net> To: "DBA-Tech" <dba-tech at databaseadvisors.com> Sent: Saturday, September 21, 2013 1:02:18 PM Subject: [dba-Tech] Windows Event Log help Do any of you fine people know how to filter the event log for what PROGRAM caused a reboot? I know Event IDs 6005 and 6006 will indicate a power down event but that information isn't very helpful by itself in this instance. I had an entire office of workstations reboot once during the day (at various times). They all got a 2 minute warning that the computer was going to reboot, save your work, etc. which sounds like my script. Except my script happens on Tuesday nights not Thursday during work hours. It appears that Java was updated but I do not allow for automatic updates, so, I'm trying to track this down. TIA John B _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com _______________________________________________ dba-Tech mailing list dba-Tech at databaseadvisors.com http://databaseadvisors.com/mailman/listinfo/dba-tech Website: http://www.databaseadvisors.com