LimeWire
After I had cleaned a lot of malware from someone's home system, I found
LimeWire on the system.
McAfee security software was on
the system and prompted me as to whether I wanted to allow LimeWire
to run or block it. My last experience with LimeWire was several years
ago. At that time I had found the free version came bundled with
adware/spyware, so I had the McAfee software block LimeWire. After
checking on the current version, though, I found it no longer comes
bundled with adware/spyware according to the developer, Lime Wire LLC
(see
LimeWire's response: Spyware) and the
Wikipedia article
on LimeWire.
Granted, one should never rely on the developer's or
distributors' word on such matters, since they will often simply define
the terms "adware" and "spyware" so that they don't include techniques
used by their software, instead of using the commonly accepted definitions.
But, as far as I can determine, LimeWire has indeed been distributed,
even in the free version, without adware or spyware for several years now.
[ More Info ]
[/network/p2p]
permanent link
AdSpy.TTC Detected by Spybot
I ran a scan of a family member's system with
Spybot Search & Destroy
version 1.5, which reported
AdSpy.TTC based on
the presence of a registry entry, but when I checked the system for
C:\Program Files\MSN Apps\MSN Toolbar\MSN
Toolbar\01.02.5000.1021\en-us\msntb.dll, which was the file
referenced by the registry entry Spybot detected, I did not see it on
the system and
CastleCops
identified the
CLSID key referenced as being associated with legitmate software.
[ More
Info ]
[/security/trojans]
permanent link
RPC Won't Start Because of Missing Svchost File
On a Windows XP SP2 system where I saw the following error message when I tried
to start the Remote Procedure Call (RPC) service, the problem was due to a
missing
svchost.exe file in
C:\Windows\System32\
| Services |
Could not start the Remote Procedure Call
(RPC) service on Local Computer.
Error 2: The system cannot find the file specified.
OK
|
The location where svchost.exe should be located can be found in
the registry at HKLM\SYSTEM\CurrentControlSet\Services\RpcSs\ImagePath.
I copied the file from another Windows XP SP2 system. The file was 14KB and
was dated 8/4/2004 with an MD5 hash of 8f078ae4ed187aaabc0a305146de6716
.
I discovered the svchost.exe file was missing while trying to
determine why the taskbar wasn't displaying properly - it was 1/2 height
and couldn't be stretched, even though unlocked, there were no programs shown
on the taskbar, and the Start button was missing.
References:
-
Infected Gateway Laptop -
December 2007
[/os/windows/xp]
permanent link
Infected Dell Inspiron 6000 Laptop
When checking a Dell Inspiron 6000 laptop fo malware, I found a very
large burden of malware on the system. The system also had no network
connectivity, since the
tcpip.sys file was missing from
c:\windows\system32\drivers. Because of the missing
tcpip.sys file, whenever I issued the
ipconfig
command, I would see the following:
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
An internal error occurred: The request5 is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
It took several days for me to remove all of the malware and restore network
connectivity.
[ More Info ]
[/security/removal-logs]
permanent link
Reconfiguring IP Interface for DHCP from the Command Line
The IP address on a Windows XP system can be changed from a static
value to a
DHCP assigned
IP address from the command line using the command below (presuming you wish
to change the IP address for the interface "Local Area Connection", since you
may have multiple or differently named network connections).
netsh interface ip set address "Local Area Connection" dhcp
You can also set the
DNS servers from the command line using the command below.
netsh interface ip set dns "Local Area Connection" dhcp
References:
-
Configure TCP/IP from the Command Prompt
By Daniel Petri
Petri IT Knowledgebase
[/os/windows/commands]
permanent link
Resetting Password with Offline NT Password & Registry Editor
The date on a repaired laptop I had returned to me, after a motherboard
problem was fixed, was January 28, 2150. The laptop is running Windows
XP Professional. I knew the password for my normal user account on the
laptop, but couldn't remember the password for my administrator account
on the system.
I downloaded
Offline
NT Password & Registry Editor in
ISO format. After
extracting the .iso file from the .zip file I downloaded, I created a bootable
CD from the ISO file. I booted from the boot CD and saw the following.
Disks:
Disk /dev/sda: 80.0 GB, 80026361856 bytes
Candidate Windows partitions found:
1 : /dev/sda1 76316MB BOOT
Please select partition by number or
q = quit
d = automatically start disk drivers
m = manually select disk drivers to load
f = fetch additional drivers from floppy / usb
a = show all partitions found
l = show propbable Windows (NTFS) partitions only
Select: [1]
I hit
Enter to take the default option of one for
/dev/sda1. I then saw the following.
Selected 1
Mounting from /dev/sda1, with filesystem type NTFS
NTFS volume version 3.1.
=========================================================
Step TWO: Select PATH and registry files
=========================================================
What is the path to the registry directory? (relative to windows disk)
[WINDOWS/system32/config] :
Since
WINDOWS/system32/config was the correct location, I hit
Enter and had the opportunity to select the password reset option
by hitting
Enter again.
Select which part of registry to load, use predefined choices
1 - Password reset [sam system security]
2 - RecoveryConsile parameters [software]
q - quit - return to previous
[1] :
For step 3, "Password or registry edit", I had the option to "edit user
data and passwords", which I chose by hitting
Enter.
<>========<> chntpw Main Interactive Menu <>========<>
Loaded hives: <sam> <system> <security>
1 - Edit user data and passwords
2 - Syskey status & change
3 - RecoveryConsole settings
9 - Registry editor, now with full write support!
q - Quit (you will be asked if there is something to save)
What to do? [1] ->
I was then presented with a list of the local accounts on the system. Those
that were disabled or locked were marked as "dis/lock". I
chose the administrator account for which I wished to reset the password
and was presented with information on the account and the opportunity to
blank the password, which is the option I chose.
Failed login count: 1, while max tries is: 5
Total login count: 68
- - - - User Edit Menu:
1 - Clear (blank) user password
2 - Edit (set new) user password (careful with this on XP or Vista)
3 - Promote user (Make user an administrator)
(4 - Unlock and enable user account) [seems unlocked already]
q - Quit editing user, back to user select
Select: [q] >
I then saw "Password cleared!". I then hit "!" to quit modifying accounts
and then "q" to quit. At the next step, step 4, you will be asked to confirm
whether to actually write the changes to disk. The default response is "n",
so you need to hit "y" to actually apply the changes you've requested.
You will then see "***** EDIT COMPLETE *****". Hitting
Enter will
give you a Linux shell prompt of "$". You can then reboot the system;
remove the CD so the system won't attempt to boot from it again.
When the system booted into Windows XP, I tried logging into the
administrator account. I saw the message "Your password has expired and must be
changed." I entered a new password and was able to login to the administrator's
account.
[/os/windows/utilities/sysmgmt]
permanent link
