Good Web Bible Site

http://www.visionteamfellowship.com/biblenew.aspx?Site=1

There are various Chi & Eng versions and some useful maps and tools.

Very Good.

Virus Again - 62D4F8F5DDAC.exe

One of the PC in the office count down for 60 seconds to reboot a few minutes after logon. Again, a trojan from entering the site www. b l o g o. t w !!
Exactly as described in http://phorum.study-area.org/index.php?PHPSESSID=6d340836b5b3737986eb9441f581132a&topic=48640.msg246549#msg246549

It was managed to stop the reboot with:
Start > Run --> enter "shutdonw -a"

A process with the name "62D4F8F5DDAC.exe" was found.
Just like what is described in McAfee's site for a virus called PWS-JU.
http://tw.mcafee.com/virusInfo/default.asp?id=description&virus_k=143551

All the 3files were found at the exact location:

c:\WINNT\Debug\62D4F8F5DDAC.dll , filesize: 156.672 bytes
c:\WINNT\Debug\62D4F8F5DDAC.exe , filesize: 81.920 bytes
c:\WINNT\system32\od3mdi.dll , filesize: 259.584 bytes

So the 3 files were deleted.

However, just as the event in last time, the Winsock crashed. TCP/IP stack is corrupted. When the trojon melware installed, it changed some Registry Keys. The PC cannot connect to the internet.

Again, it was fixed with winsockxpfix.

The colleague said she has not installed anything...
Maybe casued by internet surfing, receivinig a jpg file, etc.

"premature EOM: unexpected close" & DNSBL in SendMail

Mails from some of the accounts (but not all) from a site (a business partner in S'pore of my office) were not received since yesterday.
Then I checked the sendmail log. Following lines showing the error was found:

Oct 24 10:14:57 server sendmail [11672]: l9O2EM2Q011672: collect: premature EOM: unexpected close
Oct 24 10:14:57 server sendmail [11672]: l9O2EM2Q011672: collect: unexpected close on connection from dmzxxx.yyy.com, sender=<zzz@yyy.com>
Oct 24 10:14:57 server sendmail [11672]: l9O2EM2Q011672: from=<zzz@yyy.com>, size=0, class=0, nrcpts=3, proto=ESMTP, daemon=MTA, relay=dmzxxx.yyy.com [111.222.333.444]

Lookup the problem from google and finally, thanks God, found lights to the solution. (http://www.outofcontrol.ca/2007/02/28/sendmail-collect-premature-eom-unexpected-close-solution/)
It is found to be something wrong with the DNS Black List being used in the sendmail configuration file.
--> One of the open DNSBL, relays.ordb.org, was no longer responding.

According to DNS Blacklist ORDB.org is shutting down the relays.ordb.org DNSBL has been shut down since 18 December 2006.

By removinig that DNSBL, mails from those accounts are received correctly.

Now we use 3 DNSBL in the sendmail:

• zen.spamhaus.org
• list.dsbl.org
• dnsbl.sorbs.net

I think checking the DNSBL sites from time to time to ensure they are working properly is necessary.

Don't really understand the connection between the error and the DNSBL terminations. The questions are:

• Not all mails from the same site cannot arrive. One of the account from that site can arrive successfully.
• The error only found these 2 days but the DNSBL of ordb.org has been stop working since 18 Dec 2006!! ??

Anyway, the problem solved.

Cannot connect to the internet after removing trojan

A colleague receive an MSN message with a linkage to the site: www. blogo .tw (intentionally add the space to avoid the auto hyperlinkage). Once clicked, a trojan is installed to the PC. (Actually, 2 files added, 1 is the C:\WINDOWS\system32\od3mdi.dll and the other is C:\DOCUMENT AND SETTINGS\USER's PROFILE\LOCAL SETTINGS\Temp\RarSFX0\z.exe). Both files are detected by the anti-virus program and were quarantineed.

However, the headache does not finish. the user's PC cannot connect to the internet.
The other symptom is when trying to use the "ping" command, it replies with a ? and a loud "bit" sound.
Pinging ? with 32 bytes of data:
Reply from 192.168.1.89: bytes=32 time=15ms TTL=247

Finally, it is found that something wrong with the Winsock. TCP/IP stack is corrupted. When the trojon melware installed, it changed some Registry Keys. Antivirus programs, adaware or spybot removed the melware but not correcting the registry keys.

Solution: fix the winsock with winsockxpfix.

The tool works fine for the PC. The problem solved after launching the tool and reboot the PC!

Reference: http://www.iup.edu/house/resnet/winfix.shtm
http://272586.blogspot.com/2007/07/winsockxpfixie.html

Enable the NUM LOCK key for the logon screen

1.	Run Registry Editor (Regedt32.exe).
2.	Navigate to HKEY_USERS\.Default\Control Panel\Keyboard.
3.	Change the value for InitialKeyboardIndicators from 0 to 2.

Source: http://support.microsoft.com/kb/154529

Change the port for Remote desktop

Enter the desired port no. in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Tibet Slideshow

No my work. I just found these wonderful photos from the web accidentally.
Wonder when will I have this photographic skill.