Tech Support Journal

Symantec Antivirus has detected irmons.dll as a trojan (Backdoor.EggDrop) with a prompt that shows Access Denied but Clean Failed, Quarantine Failed which means it was unable to delete the file which could be needed by a running process.

As the infection was on a file server, it could not be restarted into safe mode unless all users stop accessing the current files that they are using on the server.

In order not to hinder the users work, I downloaded Process Explorer from Sysinternals.com & use it to terminate the process that attempts to run irmons.dll. Then I do a clean up of the file by running SAV to quarantine it & finally remove all traces of any reference to it in the system registry.

As this trojan was not activated due to proper execution being denied by the antivirus, isolating the problem is relatively easy. However, if it was executed, there may be traces of other files in the infected system that may need to be cleaned up.

A simple task of replacing a burnt 3COM switch & rearranging the patch cords in proper sequence turns into a major troubleshooting process when after plugging in the new switch & cascading it to an existing switch, all users on the network cannot no longer access the network.

It is no help that these two switches are also linked via a fiber link to another department nearby.  The fact that the face plates at the users’ locations are just partially numbered & the patch cords aren’t numbered at all adds on to the difficult task of isolating the problem.

First suspect was that there was a loop somewhere whereby there are two uplinks linking up two of the switches, namely the fibre link & another ethernet link which we have accidentally plugged in to the patch panel while disconnecting & rearranging the cables. But because there were no indication nor any kind of network diagram, we have to test it one by one;

by first disconnecting the all the cables on the server rack on our end,

cascade the two switches, then connect the fiber link,

ensure the remote location is able to access the network,

then connect a workstation to the local switches doing at command prompt, an ipconfig /release then ipconfig /renew every time a patch cord is connected from the patch panel on the server rack to the port on the switch.

This is to test whether to ensure we can obtain a IP lease from the server without any problem. If we can’t then that is the source of the problem.

The process also force us to properly label the patch cords, tidy up the cable layout & finally isolating the problematic point on the patch panel, all these while with the users breathing down our necks.

Once all these are done & the network is fully functional again,  there is still one particular user that is unable to access the network. In fact the network icon on her computer shows a network disconnected sign.

Suspect that it could be a non-functioning port on the old switch that we have cascaded the new switch to since we have done a rearrangement of the network points.

Without a data point number on the face plate near her table, we have to unplug those ports that is not in use from the patch panel (that is their led is not lit on the old switch) then plug one end of a network cable to a port on the new switch & then plug the other end to the patch panel unused ports one by one.

Since those ports are unused, there should not be any led light on the new switch when we plug the cable to each of the patch panel’s port. If the led is lit, we have isolated the faulty port on the old switch.

We manage to isolate the problematic port on the old switch, tape it up to ensure no one would accidentally use it again & check every single network point to ensure it is functionally.

The whole process took 2.1/2 hours but it is better than having to deal with errantic problems these two issues may cause which we may be clueless about few weeks down the road.

User complained that there is an error whenever he starts Outlook 2007. Vista prompted something about Outlook or application has stopped working & suggested to check online for a solution. When he does that, the result was that there were no solution available.

Re-installation of  Office 2007 does not help. Uninstall & reinstall also doesn’t seems to work. From the Email Accounts option, it seems that he has two email accounts set up in his Outlook. We decided that it could be one of the accounts that is causing the problem.

Solution is we exit Outlook & then go to Control Panel, Mail option & before even deleting the accounts, a prompt came out about having incomplete information in the email account we were intending to remove. After filling in all the appropriate information & restarted Outlook & the problem disappeared.

There will be times when you require automation of a telnet session. Although telnet program is considered to be an insecure method to connect to a device, there will be situation where you will need to use it, eg. telneting to your router, mail server etc.

The tool can be downloaded here, however we cannot support you on how to use it since we are the author but we’re making it available because it is getting very difficult to locate a copy of it elsewhere on the net.

Telnet Scripting Tool

We use this particular tool to automated opening of ports on our router only at certain time of the day & then closing those port automatically after the required time range. This would minimize hack attempts from outside of the network & reduces dictionary style or brute force type of attack from succeeding.

An example would be creating a text file (eg. create.txt) consist of the commands that you like to send to the router as follows;

192.168.1.100 23
WAIT “User :”
SEND “Admin\m”
WAIT “Password :”
SEND “poiuytr\m”
WAIT “=>”
SEND “nat create protocol=tcp inside_addr=192.168.1.106:3389 outside_addr=0.0.0.0:3389 \m”
WAIT “=>”
SEND “config save\m”
WAIT “=>”
SEND “exit\m”
WAIT “Connection to host lost.”

Create a batch file (eg. nat.bat) with the following line;

tst10.exe /r:create.txt /o:createout.txt /m

Set a scheduled task on your server to run the above batch & then set another task to delete the nat port mapping by done nat delete instead of create with the same parameters.

This script above is actually for Alcatel ST510 routers, thus it may differ from various models & makes. You may need to amend it accordingly. Basically, the WAIT is command to wait for remote to return & the SEND is the command to send to remote. The \m is the carriage return command to send to remote.

Other use of this tool would be for testing of your web, SMTP or POP3 servers which could save you a lot of typing.

There is a reason why some administrators prefer to set POP3 mail retrieval in Outlook to leave a copy of the emails on the server & subsequently deleted it after 5 days or more. This is to prevent emails getting lost when your Outlook prior to 2003 reaches it 2 GB limit in .pst file size.

If your pst file reaches 2GB, all subsequent receive attempts will remove the emails from the POP3 server but the retrieved mails doesn’t reach your inbox. In event that you have reduced the size of your pst file, those mails prior to the date where you’ve reduced the size will be gone for good.

On some systems when the pst file reaches 1.8GB or more, Outlook may not be able to open it. In some instances, using scanpst.exe may help but it will only be temporary. Outlook will crash again within 1-2 days unless you start archiving the older mails immediately.

If that doesn’t work, you can try downloading the PST/OST Cropping Tool which will truncate the corrupted pst to a smaller size. Some data lost may occur due to the truncation.

kb296088

If by reducing the file size of your .pst file still doesn’t allow you to recover your mails, you may need to go to your system Control Panel, click on Mail icon, create a new profile with a new pst file. Import everything from your old pst file into this new profile.

This should work in most situation.

After joining a Sony notebook to the company’s domain & promptly restarting the notebook, I am able to login but I am unable to change anything that requires admin rights like making changes to User Account type, activating software, etc.

It seems that even domain admins have no rights on a newly joined Vista machine. The local administrator account have to explicitly give admin rights to domain administrator for him to be able to make any changes.

You will have to log out, then instead of selecting the default user shown, click other user then type localmachinename\username followed by your password. Then go to Control Panel, User Accounts to add your domain admin name, the domain & set his rights as administrator for the local machine before any control is given to him.

While you’re at it, you may also wish to Turn Off User Account Control if you have other softwares to install because you may face problem installing CS3 & others that may require activation, which is restricted by UAC.

You can turn it back on only after you have completed the initial setup of your new notebook.

When installing the driver for this phone, which is actually an application you have to run from the CD, halfway through the process, you will be prompted with an error of the software not able to register oleaut32.dll file & then later another .tlb file which I cannot remember the exact name.

If you ignore both the error prompts, your phone will still work with Skype but the controls on the IPEVO2 Phone like scrolling & calling out would not function properly. In order to able to scroll through your contact list on the phone & making outgoing calls from there, you will need to install the software again but this time round, instead of ignoring the error, do the following steps;

1. Click on Start button (which is on at same location but a Windows logo on Vista)  & at the Search portion type CMD,

2. In the list of programs directly above it, you will see cmd  (which is the command prompt icon), right click on it & select run as administrator.

3. When the black command prompt box appear, type regsvr32 oleaut32.dll at the blinking space.

4. It should show registration successful but if it did not, type cd \windows\system32 and the try again.

5. Close the black box & then go back to the software installation portion & click ignore or the current prompt and any subsequent prompts.

You should be able to use the IPEVO phone upon restarting the PC.

A Asus notebook that was already configured to be a member of a company domain suddenly loses it connectivity to the Internet and file and printer shares. The two computer icon on taskbar shows connected but when you place your mouse over it, it says Local Only Access.

Seems to be IPv6, which is the default protocol selected by Vista, that is causing the problem. After disabling it and doing a restart, it was able to grab an IP address from the DHCP server which is also the router.

Unfortunately, the router (Comtrend or something) seems to be confused with who the already issued IP addresses to & there seems to be IP address conflict all over the office. The first occurence was on another notebook which was having address conflict with another node with the IP of 10.0.0.3 but when I ping it, it came back with request timeout response.

Checking every single system in the network doesn’t show any node that has that address. Suspect it could be either a node on the network has dual network cards or someone from outside the network is connected via our wireless access point. However, the router (COMTREND!!) doesn’t have any logging capability that I am able to check on.

In the end, I have to disable the DHCP server on the router & use DHCP server on the Windows 2003 Server to issue the IP addresses. The rogue node also seems to have disappear or maybe its lease has not expired thus it hasn’t request for an IP renewal from the server yet. Eventually, if it does attempt to renew its IP, I am able to see it from the server log.

This router is amazing, a save (^S) doesn’t actually save the changes to the ROM thus when you switch it off & on again, the previous settings you’ve have made are all gone. Reminds me of Alcatel ST510 (config save), Cisco (write mem) & the Aztech routers.

And yes, after all these checking & running around, the first machine with the IPv6 disabled, is working OK now.