MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
December
Sun Mon Tue Wed Thu Fri Sat
         
           
2006
Months
Dec


Sat, Dec 30, 2006 3:36 pm

Barracuda Spam Firewall 200 Setup

I set up a Barracuda Spam Firewall 200 antispam appliance today. I was surprised by how noisy the device is; the fans are quite loud. Unfortunately, the device is supposed to sit in a closet next to someone's desk. I'm not sure how well she will be able to tolerate the noise from the device.

[ More Info ]

[/network/email/spam/barracuda] permanent link

Thu, Dec 28, 2006 9:33 pm

Fixing TeaTimer Window Problem with Resource Hacker

On several systems where I've installed Spybot - Search & Destroy 1.4, I've encountered problems with the popup windows that appear when I've activated TeaTimer, a Spybot application that monitors attempts to change the registry. The buttons on the warning window that appears won't have the correct description of their function written on them, so it is hard to determine what will happen when you click on a particular button.

The problem can be fixed with Resource Hacker.

[ More Info ]

[/security/spyware/spybot/teatimer] permanent link

Wed, Dec 27, 2006 10:02 pm

Starting and Stopping pcAnywhere Service from Command Line

I sometimes need to stop and restart the pcAnywhere service from a command line, but do it so rarely I usually can't remember the exact name of the service. You can see the names of services on a system by using the net start command. Issuing it without any arguments given to it shows a list of available services on the system. If you use the find with it, you can filter the list of displayed services to see just the name for the pcAnywhere service.
C:\Documents and Settings\administrator>net start | find /i "pcanywhere"
   pcAnywhere Host Service

Knowing that it is "pcAnywhere Host Service", you can then use net stop "pcanywhere host service" to stop the service and net start "pcanywhere host service" to restart it.

References:

  1. How to Use the net Command
    Cisco Systems, Inc.
    May 17, 2006

[/os/windows/software/remote-control/pcanywhere] permanent link

Wed, Dec 13, 2006 11:06 pm

Adding an Email Address to Outlook's Safe Senders List

Outlook 2003 provides the capability to add an email address to a "safe senders" list. Outlook will not apply its junk e-mail filter to email from senders on the safe senders list. However, you may have Outlook rules that will still route email from addresses on the list to the junk e-mail folder.

[ More Info ]

[/os/windows/office/outlook] permanent link

Wed, Dec 13, 2006 6:26 pm

Using pktstat to Monitor Network Traffic

Pktstat is free software for Linux and Unix systems that will display a real-time list of active connections seen on a network interface, and how much bandwidth is being used by various network connections. It partially decodes the HTTP and FTP protocols to show what filename is being transferred. X11 application names are also shown. Entries hang around on the screen for a few seconds so you can see what just happened. It also accepts filter expressions à la tcpdump.

An RPM file that can be used to install the software on Linux systems is available from http://www.stearns.org/pktstat/. As of December 13, 2006, the current version is 1.7.2q. I installed the software from the RPM file.

# wget http://www.stearns.org/pktstat/pktstat-1.7.2q-0.i386.rpm

# rpm -qip pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d
Name        : pktstat                      Relocations: (not relocateable)
Version     : 1.7.2q                            Vendor: David Leonard
Release     : 0                             Build Date: Thu 10 Jul 2003 12:38:40 AM EDT
Install Date: (not installed)               Build Host: sparrow
Group       : Applications/Internet         Source RPM: pktstat-1.7.2q-0.src.rpmSize        : 145837                           License: Public Domain
Signature   : RSA/MD5, Thu 10 Jul 2003 12:38:40 AM EDT, Key ID 012334cbf322929d
Packager    : William Stearns <wstearns@pobox.com>
URL         : http://www.itee.uq.edu.au/~leonard/personal/software/#pktstat
Summary     : Displays a live list of active connections and what files are being transferred.
Description :
Display a real-time list of active connections seen on a network
interface, and how much bandwidth is being used by what. Partially
decodes HTTP and FTP protocols to show what filename is being
transferred. X11 application names are also shown. Entries hang around
on the screen for a few seconds so you can see what just happened. Also
accepts filter expressions a la tcpdump.

# rpm --install pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d

Once installed the software can be run with the pktstat command. If you need to install from the source code rather from the RPM package, the steps to install the software are fairly straightforward and can be found at Bandwidth Monitoring Tools, which also lists a number of other free bandwidth monitoring tools.

The software can show you what files people are accessing on your web server in realtime as shown below:

interface: eth0
load averages: 6.3k 3.2k 1.4k bps

   bps    % desc
 779.9   2% icmp unreach port frostdragon -> ns2
            tcp adsl-68-126-206-36:2039 <-> frostdragon:http
            - GET /notebook/encyclopedia/s/slr_chibimoon.htm
            tcp adsl-68-126-206-36:2041 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon.htm
            tcp adsl-68-126-206-36:2042 <-> frostdragon:http
            - 304 GET /graphics/notepad.gif
            tcp adsl-68-126-206-36:2043 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-title.jpg
            tcp adsl-68-126-206-36:2044 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-002.jpg
            tcp adsl-68-126-206-36:2045 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-001.jpg
            tcp adsl-68-126-206-36:2046 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-lunapball.gif
 278.1   0% tcp adsl-68-126-206-36:2047 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-ckey2.gif
  1.6k   5% tcp adsl-68-126-206-36:2048 <-> frostdragon:http
            - 304 GET /notebook/encyclopedia/s/slr_chibimoon-compact.gif

You can use tcpdump style filter expressions to limit the displayed information to just traffic you are interested in at the moment. For instance, if I just want to monitor email traffic, i.e. SMTP traffic on port 25, I can use the command pktstat port 25 when I start the program.

interface: eth0
load averages: 5.6k 1.2k 421.1 bps
filter: port 25
   bps    % desc
            tcp 245:29801 <-> frostdragon:smtp
            tcp bny92-4-82-228-126-176:1672 <-> frostdragon:smtp
 19.0k  51% tcp frostdragon:53388 <-> mx01:smtp
  55.6   0% tcp frostdragon:smtp <-> mail:22421
 18.0k  48% tcp frostdragon:smtp <-> pool-71-245-166-13:62216

By default, pktstat does not show the Fully Qualified Domain Name (FQDN) of systems. But you can change that behavior with the -F option.

         -F    Show full hostnames.  Normally, hostnames are truncated to
               the first component of their domain name before display.

For instance I could have it show the full name for systems that are exchanging email with my server with pktstat -F port 25

interface: eth0
load averages: 98.9 21.9 7.4 bps
filter: port 25
   bps    % desc
            tcp frostdragon.com:smtp <-> gateway.blackspider.com:43181

If you would prefer to see IP addresses and port numbers rather than names, you can use the -n option. E.g. I could use pktstat -n port 25 to again monitor only SMTP traffic, but this time display IP addresses rather than the host names and the port number, 25, rather than its description, which is smtp.

          -n    Do not try and resolve hostnames or service port numbers.
interface: eth0
load averages: 55.2 11.4 3.8 bps
filter: port 25
   bps    % desc
 587.1  85% tcp 66.104.202.96:36199 <-> 66.22.186.53:25
  98.4  14% tcp 66.22.186.53:25 <-> 67.172.4.27:4681

References:

  1. Bandwidth Monitoring Tools
    Planet Malaysia Blog
  2. pktstat
    By David Leonard
  3. pktstat file listing
    By William Stearns
    Mary 13, 2006

[/os/unix/linux/network] permanent link

Tue, Dec 12, 2006 8:03 pm

Joining a Windows XP Media Center Edition PC to a Domain

I've been looking at PCs for a Christmas gift for a family member. Many of those I've looked at come with Microsoft Windows XP Media Center Edition (MCE). Likely as part of its marketing strategy to be able to charge more for a "business" edition of Windows, i.e. Windows XP Professional, Microsoft has crippled the MCE edition of Windows so that it can't be joined to a domain, at least not easily. I did find instructions on how to join a Windows MCE PC to a domain at Windows Media Center 2005 Can't Join Domains, though. If there is actually a way to join a system running MCE to the domain in the house, I am more apt to buy a system with that Microsoft operating system.

Oh, well, another way in which Linux is superior to Windows. Unfortunately, two users of the system use it to play GoPets and I don't believe there is a Linux client, though I did find a comment from a GoPets representative at F13.net - Usefully Cynical Commentary >> AGC Interview with GoPets! that their partner in the Phillipines have suggested a Linux client be created.

I can remember how Microsoft used to charge hundreds more for Windows NT server than it did for Windows NT Workstation. An O'Reilly webpage, Differences Between NT Server and Workstation are Minimal, states the difference was $800 and that Microsoft claimed that there were technical reasons why there were restrictions on the number of simultaneous connections you could have to a web server running on Windows NT Workstation. Yet all it took to get the same functionality on Windows NT Workstation were a couple of registry changes. For those who remember the olden days when DOS was the predominant operating system, it would be like charging hundreds more for a few simple modifications to your config.sys or autoexec.bat file.

Incidentally, I noted that GoPets Ltd. which is a company based in Korea has been engaged in a domain dispute with someone in America who was apparently cybersquatting on the gopets.com domain name, putting up just a page with a handful of links at that address. Some people buy domain names using names that companies are using to do business solely so they can demand large sums of money from those companies for the domain names.

[/os/windows/xp] permanent link

Mon, Dec 11, 2006 8:35 pm

Using Full Media Capacity with cdrw

I downloaded a Knoppix ISO file to one of my Solaris 10 systems and attempted to create a Live CD from the .iso file using the cdrw command. However, when I attempted to do so, I received a "size required is greater than available space" error message.


bash-3.00$ cdrw -i KNOPPIX_V5.0.1CD-2006-06-01-EN.iso
Looking for CD devices...
Initializing device...done.
Size required (730036224 bytes) is greater than available space (681986048 bytes).

The file I was trying to write to the CD was 696 MB, which won't fit on a 650 MB CD, but I was using an 80 minute 700 MB CD.

The problem can be resolved by using the -C option with the cdrw command. Without that option, cdrw will assume a default capacity of 650 MB for CDs. To use the full 700MB capacity, you need the -C option.


     -C       Uses stated media capacity.  Without  this  option,
              cdrw  uses  a  default value for writable CD media,
              which is 74 minutes  for  an  audio  CD,  681984000
              bytes for a data CD, or 4.7 Gbytes for a DVD.

Once I used the option, I was able to write the .iso file to a blank CD.


bash-3.00$ cdrw -C -i KNOPPIX_V5.0.1CD-2006-06-01-EN.iso
Looking for CD devices...
Initializing device...done.
Writing track 1...40 %

[/os/unix/solaris] permanent link

Fri, Dec 08, 2006 9:40 pm

Forwarding Print Jobs

I have a PC running Solaris 5.10 connected to one network interface on a Sun Ultra 5 system running Solaris 2.7. The Ultra 5 workstation has another network interface that faces the world. The PC connects only to the Ultra 5 and has no other network access. It has web acces through proxy server software running on the Ultra 5. I also needed to be able to print from the PC to printers on the other side of the Ultra 5. To obtain that access, I used balance

Balance is a load balancing solution, which uses a simple but powerful generic TCP proxy with round robin load balancing and failover mechanisms. Its behaviour can be controlled at runtime using a simple command line syntax, which is listed below.


balance 3.19
Copyright (c) 2000-2003,2004 by Inlab Software GmbH, Gruenwald, Germany.
All rights reserved.

usage:
  balance [-b host] [-t sec] [-T sec] [-dfp] \
          port [h1[:p1[:maxc1]] [!] [ ... hN[:pN[:maxcN]]]]
  balance [-b host] -i [-d] port
  balance [-b host] -c cmd  [-d] port

  -b host   bind to specific host address on listen
  -B host   bind to specific host address for outgoing connections
  -c cmd    execute specified interactive command
  -d        debugging on
  -f        stay in foregound
  -i        interactive control
  -H        failover even if Hash Type is used
  -p        packetdump
  -t sec    specify connect timeout in seconds (default=5)
  -T sec    timeout (seconds) for select (0 => never) (default=0)
   !        separates channelgroups (declaring previous to be Round Robin)
   %        as !, but declaring previous group to be a Hash Type

example:
  balance smtp mailhost1:smtp mailhost2:25 mailhost3
  balance -i smtp

Balance is Open Source Software (OSS) and is provided under the Gnu Public License (GPL). It runs on Linux, FreeBSD, BSD/OS, Solaris, Windows using Cygwin, Mac-OS X, HP-UX, and other operating systems.

To use balance to forward print jobs from the PC through the Ultra 5 workstation to printers on the other side of the Ultra 5 workstation, I installed balance on the Ultra 5 system and then issued the following command:


# balance -b 192.168.1.1 515 bermuda.somewhere.org:515

I specified the -b option, since I did not want balance listening on both of the Ultra 5 network interfaces, only the one that faces the PC. The address for the network card to which the PC connects is 192.168.1.1. The 515 after that address specifies that balance should listen on TCP port 515 on that interface. I then want balance to forward any data it receives on port 515 on the 192.168.1.1 interface to a printer with a network name of bermuda.somewhere.org. The :515 at the end of the printer's network name indicates that balance should forward data to port 515 on the printer. TCP port 515 is the port for the Line Printer Daemon (LPD) protocol. It is a standard port on which network printers listen for print jobs. If you wish balance to listen on ports less than 1024, which are the "well known" ports, then you must issue the command to run balance from the root account.

I then needed to tell the PC that there is a printer available at the 192.168.1.1 address, though in actuality, the workstation at that address will simply forward any data it receives on port 515 to the bermuda printer.

First, I checked to see what printers the PC already thought were available through the lptstat command.


# lpstat -a
laserjet accepting requests since Dec 05 19:23 2006

The system already is set up to print to laserjet, but unfortunately that printer is no longer accessible, which is why I need to use balance and the bermuda printer.

I then used the lpadmin command on the PC running Solaris 10 PC to add the new printer.


# lpadmin -p bermuda -s 192.168.1.1

The first lpadmin command has a -p argument, which specifies the printer name I want to use on the PC for the printer. I am going to use the name bermuda to make it match the name on the network name of that printer, but it wouldn't have to match. The next argument is specified with -s. The -s option is followed by a system name, e.g. ultra5.somewhere.org, or IP address. I used the latter and specified the IP address on the Ultra 5 workstation to which the PC is connected. The -s option is used to make a printer available on another system available to the local system.


     -s system-name[!printer-name]

         Make a remote printer (one that must be accessed through
         another  system)  accessible  to  users  on your system.
         system-name is the name of the remote  system  on  which
         the  remote  printer  is located it. printer-name is the
         name used on the remote system  for  that  printer.  For
         example,  if  you want to access printer1 on system1 and
         you want it called printer2 on your system:

         -p printer2 -s system1!printer1

Once I added the printer, I wanted to make it the default printer, which I can do with the -d option for lpadmin.


# lpadmin -d bermuda

If you want to check which printer is the default printer, you can use the command lpstat -d.


# lpstat -d
system default destination: bermuda

Now, if I check printer status with lpstat -a, I see both the old and new printers listed.


# lpstat -a
laserjet accepting requests since Dec 08 19:32 2006
bermuda accepting requests since Dec 08 19:32 2006
_default accepting requests since Dec 08 19:32 2006

If I want more details, I can use lpstat -s.


# lpstat -s
scheduler is not running
system default destination: bermuda
system for laserjet: 192.168.1.1
system for bermuda: 192.168.1.1
system for _default: 192.168.1.1 (as printer bermuda)

To get rid of the entry for the no longer accessible laserjet printer, I used the lpadmin -x command.


# lpadmin -x laserjet
# lpstat -a
bermuda accepting requests since Dec 08 19:57 2006
_default accepting requests since Dec 08 19:57 2006

Solaris stores the information about printers in /etc/printers.conf, so the lpadmin commands are modifying that file.

After adding the printer, if I then want to make it visible to a user account that is using the Java Desktop System for the user interface, I need to take the following steps:

  1. Click on Launch.
  2. Select Preferences.
  3. Select Printer Preferences.
  4. Click on View.
  5. Click on Select Printers to Show.
  6. Bermuda is now in the list of available printers, so click on it to select it and then click on OK.
  7. Right-click on it and select Set as Default.
  8. Close the Printer Manager window.

Now when printing from the Solaris 10 PC, I can print to the bermuda printer from the user account under which I made the above changes by selecting it as the printer in applications.

References:

  1. balance
    Author: Thomas Obermair
    freshmeat.net
  2. Balance
    Inlab Software GmbH
  3. Line Printer Daemon protocol
    Wikipedia
  4. Print Server Port Numbers for Netcat
    By Jeff Liebermann
    May 17, 2000
  5. How to Add a Network Printer Locally on a UNIX Solaris SPARC Workstation
    Citrix
    January 13, 2003
  6. Proxying the LPD Port with Balance
    MoonPoint Support
    March 3, 2006
  7. Balance
    MoonPoint Support

[/os/unix/solaris] permanent link

Mon, Dec 04, 2006 12:57 am

Pacerd.bundle

BazookaTM Adware and Spyware Scanner v1.13.03. reported that it found Pacerd.bundle on a Windows XP system, G, when I scanned it.

The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" from the Windows Control Panel to remove entries named "Surf Sidekick", "ItalMgr", "Command", "RelevantKnowledge" and "MarketScore" before going through the manual uninstall instructions. However, none of those existed.

The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware.


%ProgramsDir%\Msnmaker\
%ProgramsDir%\Quick Links\
%ProgramsDir%\InetGet\
%ProgramsDir%\FREEPR~1\
%ProgramsDir%\Freeprod Toolbar\
%ProgramsDir%\Cas\
%ProgramsDir%\CasStub\
%ProgramsDir%\CMSystem\
%ProgramsDir%\System Files\System.exe
%ProgramsDir%\System Files\plugin.dll
%ProgramsDir%\Yazzle Sudoku\
%WinDir%\etb\pokapoka73.exe
%WinDir%\etb\pokapoka75.exe
%WinDir%\exe82.exe
%WinDir%\bsx32\
%WinDir%\etb\
%WinDir%\jptc.dat
%WinDir%\offun.exe
%WinDir%\rk.exe
%WinDir%\rlvknlg.exe
%SystemDir%\PSof1.exe
%SystemDir%\exp.exe
%SystemDir%\wintask.exe
%SystemDir%\adcomplusanalytic.exe
%SystemDir%\ichckupd.exe
%SystemDir%\bho.dll
%SystemDir%\nsb12.dll
%SystemDir%\APD123.exe
%SystemDir%\wuauclt.dll
%SystemDir%\202_app13.exe
%SystemDir%\APD123.exe
%SystemDir%\MTE2ODM6ODoxNg.exe
%SystemDir%\PopOops.dll
%SystemDir%\PopOops.dll
%SystemDir%\SI.exe
%SystemDir%\SWLAD1.dll
%SystemDir%\SWLAD1.dll
%SystemDir%\atmtd.dll
%SystemDir%\atmtd.dll._
%SystemDir%\dist001.exe
%SystemDir%\installer216.exe
%SystemDir%\nstD.dll
%SystemDir%\uc.exe
%SystemDir%\wuauclt.dll
%SystemDir%\AOP2.exe
%SystemDir%\repairs302972979.dll

%WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

%SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%ProgramsDir% is a variable. By default, this is C:\Program Files.

I created a batch file, pacerd_bundle-files.bat to search for any intances of the above files or directories on the system. None were found.

I then checked the registry for the presence of any of the registry keys the Kephyr webpage listed as being associated with the malware. I found only one of the listed registry keys. The one I found was associated with a Windows startup entry for winsync.


C:\>reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /
v winsync

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    winsync     REG_SZ  C:\WINDOWS\System32\kdkgpx.exe reg_run

However, I did not see that file on the system, even when I booted into safe mode. And none of the listed files were found on the system when I checked under safe mode, also.

I deleted the registry key with the reg delete command.


C:\Documents and Settings\Administrator\My Documents>reg delete HKEY_LOCAL_MACHI
NE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winsync

Delete the registry value winsync (Y/N)? y

The operation completed successfully

When I scanned the system again with Bazooka, it did not report the presence of Pacerd.bundle. The registry key it found previously was likely a remnant of spyware previously removed by another antispyware program on the system.

References:

  1. Pacerd.bundle

[/security/spyware/pacerd_bundle] permanent link

Sun, Dec 03, 2006 10:12 pm

Exploit searchterror.com

I ran a scan of a system, G, with BazookaTM Adware and Spyware Scanner v1.13.03. It found Exploit searchterror.com on the system.

The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" in the Windows® Control Panel to remove the malware. I looked for "SpySheriff" and "WeirdOnTheWeb" entries as suggested, but found none.

The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware.


c:\loader.exe
c:\mailz.txt
c:\sys.exe
c:\tmp.txt
c:\trig.dtl
c:\winstall.exe
%WinDir%\weirdontheweb_topc.exe
%WinDir%\zsettings.dll
%WinDir%\tool1.exe
%WinDir%\tool2.exe
%WinDir%\tool3.exe
%WinDir%\svchost.exe
%WinDir%\ms1.exe
%WinDir%\ms2.exe
%WinDir%\ms3.exe
%WinDir%\ms4.exe
%WinDir%\msmsgr2.exe
%WinDir%\drexinit.dll
%WinDir%\kernels32.exe
%WinDir%\vr_sys.dll
%WinDir%\desktop.html
%WinDir%\dvpd.dll
%WinDir%\installer_SIAC.exe
%WinDir%\sasent.dll
%WinDir%\sasetup.dll
%WinDir%\cdmweb\
%SystemDir%\latest.exe
%SystemDir%\maxd.exe
%SystemDir%\newdial.exe
%SystemDir%\realupd32.exe
%SystemDir%\realupd_32.exe
%SystemDir%\thn.dll
%SystemDir%\thn32.dll
%SystemDir%\tibs.exe
%SystemDir%\vx.tll
%SystemDir%\init32m.exe
%SystemDir%\cssrs.exe
%SystemDir%\abc.exe
%SystemDir%\paytime.exe
%SystemDir%\vxgame1.exe
%SystemDir%\vxgame2.exe
%SystemDir%\vxgame3.exe
%SystemDir%\vxgame4.exe
%SystemDir%\win32.exe
%SystemDir%\newdial1.exe
%SystemDir%\zolk.dll
%SystemDir%\ztoolber.dll
%SystemDir%\ztoolbar.bmp
%SystemDir%\ztoolbar.xml
%SystemDir%\~update.exe
%ProgramsDir%WeirdOnTheWeb\

%WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

%SystemDir% is a variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

%ProgramsDir% is a variable. By default, this is C:\Program Files.

The file svchost.exe is part of the list, but is also a file normally found on Windows systems. On Windows NT and later systems, though, it is found in %WinDir%\system32, rather than in %WinDir%. The Kephyr webpage indicates its presence in the %WinDir% directory indicates the presence of this malware.

I created a batch file, searchterror-files.bat to search for any intances of the above files or directories on the system. The script did not find either of the two directories associated with the malware %WinDir%\cdmweb\ nor %ProgramsDir\%WeirdOnTheWeb\. The only file from the list which it found was C:\temp.txt, which had a creation timestamp of Thursday, December 23, 2004, 4:21:31 PM. When I renamed that file, Bazooka no longer reported the presence of Exploit searchterror.com on the system. Since it didn't find any registry entries associated with the malware, I believe the report was a false positive.

References:

  1. Exploit searchterror.com

[/security/spyware/searchterror] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo