There are times when Microsoft makes me wonder. You develop this cool technology, ClearType, which helps reduce eyestrain, you put checkboxes all over the Remote desktop client allowing me to choose to use or not use it, you have it active in the shell... but then you casually ignore it and withhold it from me. What gives?

Oh, a KB article sheds some light:

The option to enable theFont smoothing feature is not available in the version of RDC that was released with Windows Server 2003. By default, Windows Server 2003 disables theFont smoothing feature in all remote connections. These connections include the connections that are established through RDC 6.0.

Happily, MS's dictatorship is matched only by its benevolence, because there's a "hotfix" available for this problem:

KB946633:The "Font smoothing" feature has no effect in Windows Server 2003 terminal sessions

It kinda cracks me up...

"We'll put the feature in."

"But it doesn't work. We should disable the checkboxes"

"Why would we do that?"

I bring this up because we just migrated a client over to a terminal server environment, and the number one complaint was "My fonts aren't fuzzy!"

Since I actually prefer the crispness of an LCD display, I didn't really notice, or care, but since I wasn't signing the check, I did my best to comply. I used bing to google the issue, and found the hotfix.

Of course, since it's a hotfix, it requires a reboot... so here I am at 5:30 AM, having just rebooted the server.

This hotfix is available via draconian download -- you fill out a form, they send an email with the link - however, they put the link in parentheses, so Outlook botches the conversion and breaks the link, resulting in the need for you to copy and paste the URL into your browser. From there, it's a Start > Next > Finish install and a reboot seals the deal.

As a side note: ClearType increases the bandwidth requirements, and is only available if you're running in "High Bandwidth" mode in the RDP 6.0 (or better) client. It also needs to be turned on in the desktop session.

In the RDP client:

Click Options > Experience tab

The check off the "font smoothing" box.

On the Windows 2003 Desktop:

Right click on the desktop > Properties >Appearance tab > Effects button

That should do it!

I've gotten two calls from clients (OK, one was a client, the other my mother-in-law) saying they visited the NYTimes website and were attacked by malware.

This is true, they were. My MIL said she was trying to read Maureen Dowd and got hit with a rogue anti-spyware application. I was able to CoPilot in and clean things up. (There didn't seem much to clean up, I killed a running process of IE (she uses Chrome) and the scare-screen went away.

I sparked up an unpatchedWinXP Virtual Machine running IE6 and went to the NYT website, and was prompted immediately to install flash. I opted not to and surfed around the site, fighting the information bar's insistence that I install an ActiveX Control.

So, I gave in and voila!

So, no matter how you answer, you're already stung.

Of course, your instinct is to click "Cancel" and you do, and then you're scared out of your wits when confronted with this page from protection-check07.com (don't go there!) and proceeds to make you think you're infected.

But, if we take a second to look at the scare box, we see something is amiss...

We don't have an E: drive ... and the optical drive we have is a CD-Rom, not a DVD-RAM drive...

The page that pops up is meant to scare you. The infections it reports are false -- the only infection you have (at the moment) is the webpage. If you go into taskmanager and find iexplorer.exe (or firefox.exe if you use Mozilla Firefox) and right-click on it and choose "End Process" that should make the pop-up go away.

If you click ANYWHERE on the page, it will prompt you to download a program:

Seems reasonable -- you got a warning you were infected, and you want to download a file called "Scanner-75f_2015.exe" seems legit.

IT'S NOT.

(But you knew that by now, right?)

However, this is a clear indication of how a fully patched system gets compromised. Some buys ad space on a major website. They probably serve a lot of legit ads, but in a few instances, they serve illegitmate ads. In this case, they seem to be using Flash as an attack vector. Flash movie loads and redirects your browser to a rogue site, and they're off to the races.

Since I'm a professional, I downloaded the file -- I didn't run it -- and I submitted it to http://virscan.org an online file scanner which tests a file against 37 of the leading anti-virus vendors.

Somewhat sadly, only 5 out of 37 scanners picked this up as malware:

I also ran the file thru VirusTotal.com which tests against 41 scanners, and 7 scanners turned up a positive on our file:

You can see the full report over on VirusTotal's site: http://www.virustotal.com/analisis/7bda9187e26b5a185501874b201731f12e3604c078408500abda83c35ef2fbe1-1252857630

The one thing that surprised me on the results was Microsoft's detection, trumping McAfee, Symantec, AVG and Clam-AV among many others. I've never considered MS a true player in the anti-malware landscape, but perhaps I will re-evaluate.

Kaspersky, and most othersecurity vendors, offers an online scan of your system (requires Java). If you don't have an anti-virus product installed -- or even if you do -- you might want to visit a different security vendor site than the one you have to do a check. Belt and suspenders and all that.

(This piece of spyware also eluded my trustyMalwarebytes Anti-Malware (www.malwarebytes.org) which should reinforce that no one piece of software can provide 100% protection.

There is no strong defense for this, as nothing you overtly do can cause it. Make sure your anti-virus is up to date, do regular scans of your computer -- but MOST importantly --keep backups.

As for the clients, one of them uses Norton GoBACK (since superceded in the marketplace by Ghost 14) , so they restored their machine back an hour before the infection occurred, went back to the NY Times site, got re-infected, restored AGAIN using GoBack, and then stayed away from the NY Times site. And my Mother-in-Law has been trained well and as soon as the box popped up, she called me and I was able to CoPilot into her machine and close IE before it did any damage... may you all be as lucky.

Further Info:

http://ask.metafilter.com/132707/nytimes-spyware

http://discussions.apple.com/thread.jspa?messageID=10197120&tstart=0

http://forums.mozillazine.org/viewtopic.php?f=38&t=1481195

[UPDATE: 1:30 PM, Sunday Sept 13 - the NY Times site seems to have stopped serving the ad. Further attempts to get infected have proven unsuccessful.]

A client came to us with an interesting problem -- his laptop was removed from his company's domain and his documents were no longer available to him. He could see the mapped drive, and the folders and files, but when he tried to launch any of the files, he got an "Access Denied" error.

So, offline files had his documents stored locally, but his lack of network credentials was keeping us from them.

While massively inconvenient, this is how it should be. No credentials, no files. Downside, of course, was I couldn't get the documents copied to the local drive.

Windows 2003 Resource Kit to the rescue!

There's a utility, csccmd.exe which, as the name imples, allows you to work with the "client side cache" (the pre-release name for Offline Files). The most recent version of the csccmd.exe has an option to EXTRACT files from the client side cache and put them on the local drive somewhere.

So, I grabbed the Windows 2003 Resource Kit, downloaded it, installed it,and ran csccmd.exe and it didn't work.

Wha?

Seems there is a NEWER version of csccmd.exe that is only available (officially) from MS Product Support Services (PSS). (Unofficially, use bing to google csccmd.exe 1.1) which does the job. I downloaded it and copied it into c:\windows (just to avoid path issues).

(I assume it's only available from PSS because it totally bypasses the security issue.)

So, logged in as an administrator, I created a temporary folderand opened a command prompt (do I show my age by insisting on calling it a DOS window?) and typed:

csccmd.exe /extract:\\server\share /target:c:\temp\user /recurse

Ta-da!

The files copied, rights of the folder they were copied into prevails (which is to say that the ACL information was not extracted as well) and he's happy because he has his documents back.

Back when Windows 3.1 came out, it shipped with "display" fonts -- these were bitmapped fonts and the precursor to True type fonts -- who knew they'd still be vital in Windows Server 2003.

A client had a problem with their Great Plains installation -- the fonts went all screwy and while they could still make out the display (barely) they couldn't print checks since the Mekorma font they were using wasn't playing nice.

Clicking on the start menu revealed the username to be in the Marlett font, a font Windows uses for drawing parts of its UI (the X in the close box, the minimize and maximize symbols, etc.). we've seen this problem before, and it's usually fixed by running TweakUI and reparing the font folder. Reboot and voila.

So we do that and the checks can print, but the display font is still not right in Great Plains. Everywhere else in Windows it's fine, but Great Plains is still hinky.

We try all sorts of things -- we delete all the fonts and reinstall them from the c:\windows\fonts folder of a sister Windows 2003 server; no dice.

We troll Great Plains newsgroups, we repair the font folder, we do a repair installation of Great Plains, nothing does the trick.

It has to be a font issue, but which fonts?

We have the Great Plains consultant send over his theory -- a Helvetica font set. Does nothing.

Over at Experts-Exchange (a site well worth the subscription), one of the Great Plains MVPs who was helping us out posted a screen shot of her splash screen, and when compared to ours, I thought to myself "that looks like MS Sans Serif" -- a system font from way back when.

Windows XP brought along a new set of fonts it used in its shell, and MS Sans Serif was deprecated in favor of Verdana, Tahoma and the "modern" UI fonts Microsoft was putting forth.

I opened up a share on a Windows 2000 box, and there was a whole bunch of .fon fonts that weren't on our system. So I copied them over to a temp folder and tried to install them onto our server. Only 3 showed up in the list, and there were a dozen or more in the folder.

Ah! They were hidden. I uncheck the hidden attribute and reinstall the fonts. All of them show up in the list.

I select all, click OK, I get a few "a version of this font is already installed" errors, and then they're done importing.

Now, MS Sans Serif is in the list of available fonts, and lo and behold, our screen is back to normal.

Many thanks to Victoria Yudin who helped us with this issue.

In what is becoming a series, we'll further tweak our code to allow for filtering of the query.

In the original code, we open a query directly as a recordset. This fails if the query requires some parameters.

(I'm not going to demonstrate a way to get user input and use that as the parameter. You should be able to copy and paste the code from the original user input sections of the code and modify as needed.)

To start, let's discuss the query and it's parameter.

In our original code, the query was just pulling a list of email addresses. For this, let's filter that list of addresses by domain.
Read the rest of this entry »