Erryl

Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4

Last night when I was excited to go home to sleep early after a few days of staying up late, my sister told me that something happened in my laptop. The screen was all black, well it's not the "blue screen of death" as they say and so I thought it just froze.

And so I logged off, then after relogin I couldn't believe it's really blank.. The desktop & the taskbar was gone and it's no way responding to any click, double click, ctrl+alt+delete, ctrl+shift+esc, window+e or any keyboard and mouse functions.  But then there was this persistent application which is the Yahoo Messenger which of all this kept going online.  I was told by my sister that her friends were asking her why is she asking for some prepaid load then upon hearing that I knew her YM account was hacked.

I told her to change her password immediately, but the then complained "how am I supposed to do it with the laptop on this state?"

And she was absolutely right, how can I go with this... But of course I know I can launch IE using the "Help" menu . So I was able to change her password and warn everybody on her contact list to change their passwords too as well as not to click any link sent by her because these are links to opening some virus files (easy to spot because it was an .exe file extension).

Going back to my black screen, I knew I had virus on my laptop and so using IE I thought of scanning it online.  Well  we all know scanning online would take some time(I was warned!) but it's fine (since I'm watching "The Wedding" ). But after “The Wedding”,  1 & 1/4 hours (according to trend micro) would be too long (it’s past my bedtime ), and so I came to my senses…

"I have internet explorer so I can open my files right?" So I did… Then I asked Mr. Google on what are the possible reasons why I am getting this black screen and then he told me that good old explorer.exe might have been disabled by a virus, and so I needed to check on the registry . So to Regedit I go(residing at c:\windows), but then Regedit told me that he was disabled by the administrator! Asking My. Google again, somebody from winhelponline told me that either I needed to use the Group Policy Editor (huh?! OMGWTFBBQ, I don’t know how to do this ) or I can use the reg_enable.vbs that they have provided (whew, sigh of relief).  

Anyway, using the first method you should

• Click Start, type gpedit.msc in the Search box, and press ENTER (alternatively it’s residing at C:\Windows\System32)
• Go to the following branch: User Configuration | Administrative Templates | System
• Double-click Prevent access to registry editing tools
• Set it as Not Configured

Important: If it's already set to Not Configured, set it to Enabled and click Apply. Then repeat the steps and revert the setting back to Not Configured. This removes the registry based policy if set already.

Being too lazy and sleepy I used the easier method which is

• Download reg_enable.vbs, and save it to Desktop
• Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
• Switch to your Desktop directory by typing the following command, and then pressing ENTER:  cd /d %userprofile%\desktop
• Then, type the following command and press ENTER : wscript.exe  reg_enable.vbs

• Type EXIT to close the Command Prompt window.

Oh just an FYI, I was able to show my explorer.exe (which was located in C:\Windows) before I perform method .  After doing so, I was able to open the registry(hurray!) and guess what I’ve found, under HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon  the SHELL entry has two values, explorer.exe and GPHONE.EXE. Alas, I found the culprit!

Of course I removed the GPHONE.EXE because it is a file that an instant-message worm infects. This worm spreads through Google chat and Yahoo! Messenger. This “Gphone.exe” worm disables your antivirus security software, and downloads more crapware onto your PC.

Well removing GPHONE.EXE on the registry is just the beginning of the story… Cause I have a lot of cleaning up to do, so that’s it for now.

I have revisited the list of bugs that we came across our last project and here’s one I would like to share…

After months of rigorous testing of our new web services we encountered a major showstopper, our web service would not install. We got an “AddressAlreadyInUseException”.

The exception was caused by a port colliding between our web services and some of our applications. We were surprised that it took months for the port collision to surface. Closing all the running applications, we tried to replicate the scenario but tough luck trying for the nth time it was not reproducible.  What we did after was to reopen those applications from our suite and alas we were able to catch the culprit. It turned out that our applications use ephemeral ports intermittently causing port collision with our web services as we install them.

So what is an ephemeral port?

An ephemeral port or “short lived port” is a dynamically allocated port generally used for the client-end of a client-server communication. In a client-server interaction, the server’s application typically listens on a well known port whereas the client’s application queries the operating system for a dynamically allocated TCP or UDP port that is not used by other applications.

What we thought was a safe port range (ports higher than 5000) for our web services has changed.  We're aware that earlier Windows versions (XP and 2003) used 1025 through 5000 as their default port range.  However we found out that for Windows Vista and Windows Server 2008, Microsoft complied with the port range recommended by the Internet Assigned Numbers Authority (IANA) - to use 49152 through 65535 as dynamic and/or private default port range.

So to lessen the chances of port collision at least for our applications and web services what we did (as Microsoft recommends it) was prior to installation of our application suite on a Vista or Server 2008 operating system, we ensure to revert back to the default port range of the old Windows versions, 1025 through 5000 using the netsh command;

netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range

 in our case we used: netsh int ipv4 set dynamic tcp start=1025 num=3975

And to verify the dynamic tcp port range in Vista or Server 2008 we used

netsh int ipv4 show dynamicport tcp

 Some netsh commands are as well available for different protocols:

• netsh int ipv4 show dynamicport udp
• netsh int ipv6 show dynamicport tcp
• netsh int ipv6 show dynamicport udp 

A few important things I have read about port range:

• The smallest range of ports you can set is 255.
• The lowest starting port that you can set is 1025.
• The highest end port (based on the range you set) cannot exceed 65535.
  

Normal 0 false false false MicrosoftInternetExplorer4

For more info read  Article 929851

To start of my full name is Ma. Sherryl Dela Cruz. A software developer working on process control and automation. I used to teach, I love to teach and I miss teaching but with the workload that I have, I couldn't find time to get back into the classroom. 

With my present job I got my hands dirty with C# and .Net languages.  I never thought that  the abstracts that I have been teaching and sharing with my students before would become real instances. Anyhow, since I have missed teaching, this blog would serve as my virtual classroom and continue doing what I'm passionate of... learning and teaching.