This week we’re exploring the capabilities of Microsoft Power BI (an Office 365 add-on) to give us a clear picture of our daily performance.

Power BI allows you to connect multiple data sources from a wide range of on-premise and cloud services and view the live data in a clean dashboard. You can view and share dashboards from the browser, the windows app, or the mobile apps for iOS, Android or Windows Phone. In our case, we wanted the screen in our office to focus on a couple of things: the performance of our support team, and our website statistics.

We’re tracking the support team performance because it’s the core of our business, and the website performance because we’re focusing on delivering more useful content and would like to see how it’s received.

The data we need to track these metrics is stored in external silos – Zendesk and Google Analytics. Luckily, Power BI makes it easy to connect these data sources to a single dashboard.

Here’s a video of it starting up, and a photo of the finished dashboard:

Power BI Dashboard

This setup uses a Raspberry Pi connected to an Azure Virtual Machine running Power BI through the browser.

We’ll be adding new features in the next few weeks  involving additional Raspberry Pis, some connected sensors and Azure SQL. Stay tuned!


Last Sunday I received a call from a new customer who found a disturbing message on their Small Business Server 2003 box. The message text advised them that their files had been encrypted and asked them to send a Western Union or MoneyGram order to the value of $4000.00 USD if they want to recover their data. The prompt could not be closed off and it blocked access to Task Manager. The desktop was only visible on immediate logon or logoff. The backup drive connected to the server was formatted.

Thankfully the customer had a second backup drive from the day before. However, their backup had been poorly configured and only contained copies of their important files and folders – it didn’t contain a System State backup. We would normally format and restore from the last known good backup, but in this case the customer stood to lose their Active Directory and Exchange installation since it was not backed up. Instead the best course of action would be to remove the hackers message and restore the affected files from backup.

Another technician had already encountered this issue with another server in the past so he was able to provide some more information. The hacker scans for publicly accessible servers listening on the default RDP port 3389. Once they get a hit, they use a dictionary attack to exploit weak passwords. Once logged in, the hacker disables the antivirus and installs malware to encrypt specific files on the system and delete the originals. It also deletes folders that contain the word “backup” and formats removable drives connected to the system. The message is displayed once encryption is complete. See for more details.

This is how we resolved the issue:

  1. Boot from the LiveCD of your choice. I prefer Hiren’s, but it wouldn’t load on this HP Server. Instead I used RegRun’s Warrior as it has a copy of Regedit as well as a DOS based file manager.
  2. Load the “Software” registry hive from C:\Windows\System32\Config\Software and label it “OfflineHive” using regedit. Remove the suspicious entries from HKLM\OfflineHive\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Unload the Hive.
  3. Load your Administrator NTUser.dat hive from C:\Documents and Settings\Administrator\NTUser.dat and label it “UserHive” using regedit. Remove the suspicious entries from HKLM\UserHive\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Unload the Hive.
  4. Archive or Delete suspicious files named similar to “ncomqrzsoa” in the following locations:
    C:\Documents and Settings\All Users\Desktop\
    Use “attrib -s -h <foldername>” if you are unable to move or delete these folders.
  5. Delete the following files if you find them:
  6. Restart into Windows. You’ll find that it will take a very long time to startup as the Active Directory services (and a lot of other services) had been disabled. I logged into a healthy SBS 2003 server and made sure that the list of services set to start automatically matched on both services.
  7. Restart server after appropiate services were enabled.

After another restart, the SBS server was almost good to go. We changed the RDP port to something different and reset the passwords on all accounts. We also disabled any older accounts or user accounts that the customer didn’t recognise. Workstations had to be restarted and logged in with the new password to connect to the server. Additionally, we ran a full virus and malware scan on the server and all workstations which came up clean.

It is worth considering using a non-default port for RDP for this reason. Also make sure you have a password complexity policy enabled on your domain to avoid weak or dictionary passwords.

Here is a  list of services that were set to “Automatic” startup in a healthy SBS 2003:

Application Experience Lookup Service
Automatic Updates
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
DHCP Server
Distributed File System
Distributed Transaction Coordinator
DNS Client
DNS Server
Error Reporting Service
Event Log
File Replication Service
Help and Support
IIS Admin Service
IPSEC Services
Kerberos Key Distribution Center
License Logging
Logical Disk Manager
Machine Debug Manager
Microsoft Exchange Information Store
Microsoft Exchange Management
Microsoft Exchange Routing Engine
Microsoft Exchange System Attendant
Microsoft Firewall
Microsoft ISA Server Control
Microsoft ISA Server Job Scheduler
Microsoft ISA Server Storage
Microsoft Search
Net Logon
Plug and Play
Print Spooler
Protected Storage
Remote Procedure Call (RPC)
Remote Registry
SBCore Service
Secondary Logon
Security Accounts Manager
SharePoint Timer Service
Shell Hardware Detection
Simple Mail Transfer Protocol (SMTP)
System Event Notification
Task Scheduler
Volume Shadow Copy Service
Windows Internet Name Service (WINS)
Windows Management Instrumentation
Windows Time
World Wide Web Publishing Service

GCITS provides expert IT Support for businesses on the Gold Coast and Tweed region. As part of the Ozbizweb Group, we have been Microsoft Certified Partners since 2001 and Microsoft Small Business Server Specialists.

Ask us how we can make IT work for your business.