|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
[ More Info ]
The problem can be fixed with Resource Hacker.
[ More Info ]
net start command. Issuing it without any
arguments given to it shows a list of available services on the system.
If you use the find with it, you can filter the list of
displayed services to see just the name for the pcAnywhere service.
C:\Documents and Settings\administrator>net start | find /i "pcanywhere"
pcAnywhere Host Service
Knowing that it is "pcAnywhere Host Service", you can then use net stop
"pcanywhere host service" to stop the service and net start
"pcanywhere host service" to restart it.
References:
[/os/windows/software/remote-control/pcanywhere] permanent link
[ More Info ]
An RPM file that can be used to install the software on Linux systems is available from http://www.stearns.org/pktstat/. As of December 13, 2006, the current version is 1.7.2q. I installed the software from the RPM file.
# wget http://www.stearns.org/pktstat/pktstat-1.7.2q-0.i386.rpm
# rpm -qip pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d
Name : pktstat Relocations: (not relocateable)
Version : 1.7.2q Vendor: David Leonard
Release : 0 Build Date: Thu 10 Jul 2003 12:38:40 AM EDT
Install Date: (not installed) Build Host: sparrow
Group : Applications/Internet Source RPM: pktstat-1.7.2q-0.src.rpmSize : 145837 License: Public Domain
Signature : RSA/MD5, Thu 10 Jul 2003 12:38:40 AM EDT, Key ID 012334cbf322929d
Packager : William Stearns <wstearns@pobox.com>
URL : http://www.itee.uq.edu.au/~leonard/personal/software/#pktstat
Summary : Displays a live list of active connections and what files are being transferred.
Description :
Display a real-time list of active connections seen on a network
interface, and how much bandwidth is being used by what. Partially
decodes HTTP and FTP protocols to show what filename is being
transferred. X11 application names are also shown. Entries hang around
on the screen for a few seconds so you can see what just happened. Also
accepts filter expressions a la tcpdump.
# rpm --install pktstat-1.7.2q-0.i386.rpm
warning: pktstat-1.7.2q-0.i386.rpm: V3 RSA/MD5 signature: NOKEY, key ID f322929d
Once installed the software can be run with the pktstat
command. If you need to install from the source code rather from the RPM
package, the steps to install the software are fairly straightforward
and can be found at Bandwidth
Monitoring Tools, which also lists a number of other free bandwidth
monitoring tools.
The software can show you what files people are accessing on your web server in realtime as shown below:
interface: eth0
load averages: 6.3k 3.2k 1.4k bps
bps % desc
779.9 2% icmp unreach port frostdragon -> ns2
tcp adsl-68-126-206-36:2039 <-> frostdragon:http
- GET /notebook/encyclopedia/s/slr_chibimoon.htm
tcp adsl-68-126-206-36:2041 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon.htm
tcp adsl-68-126-206-36:2042 <-> frostdragon:http
- 304 GET /graphics/notepad.gif
tcp adsl-68-126-206-36:2043 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-title.jpg
tcp adsl-68-126-206-36:2044 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-002.jpg
tcp adsl-68-126-206-36:2045 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-001.jpg
tcp adsl-68-126-206-36:2046 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-lunapball.gif
278.1 0% tcp adsl-68-126-206-36:2047 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-ckey2.gif
1.6k 5% tcp adsl-68-126-206-36:2048 <-> frostdragon:http
- 304 GET /notebook/encyclopedia/s/slr_chibimoon-compact.gif
You can use tcpdump style filter expressions to limit the displayed information
to just traffic you are interested in at the moment. For instance, if I just
want to monitor email traffic, i.e.
SMTP traffic on
port 25, I can use the command pktstat port 25 when I start
the program.
interface: eth0
load averages: 5.6k 1.2k 421.1 bps
filter: port 25
bps % desc
tcp 245:29801 <-> frostdragon:smtp
tcp bny92-4-82-228-126-176:1672 <-> frostdragon:smtp
19.0k 51% tcp frostdragon:53388 <-> mx01:smtp
55.6 0% tcp frostdragon:smtp <-> mail:22421
18.0k 48% tcp frostdragon:smtp <-> pool-71-245-166-13:62216
By default, pktstat does not show the Fully Qualified Domain Name (FQDN)
of systems. But you can change that behavior with the -F
option.
-F Show full hostnames. Normally, hostnames are truncated to
the first component of their domain name before display.
For instance I could have it show the full name for systems that are exchanging
email with my server with pktstat -F port 25
interface: eth0
load averages: 98.9 21.9 7.4 bps
filter: port 25
bps % desc
tcp frostdragon.com:smtp <-> gateway.blackspider.com:43181
If you would prefer to see IP addresses and port numbers rather than names, you
can use the -n option. E.g. I could use pktstat -n port
25 to again monitor only SMTP traffic, but this time display IP
addresses rather than the host names and the port number, 25, rather than
its description, which is smtp.
-n Do not try and resolve hostnames or service port numbers.
interface: eth0 load averages: 55.2 11.4 3.8 bps filter: port 25 bps % desc 587.1 85% tcp 66.104.202.96:36199 <-> 66.22.186.53:25 98.4 14% tcp 66.22.186.53:25 <-> 67.172.4.27:4681
References:
I've been looking at PCs for a Christmas gift for a family member. Many of those I've looked at come with Microsoft Windows XP Media Center Edition (MCE). Likely as part of its marketing strategy to be able to charge more for a "business" edition of Windows, i.e. Windows XP Professional, Microsoft has crippled the MCE edition of Windows so that it can't be joined to a domain, at least not easily. I did find instructions on how to join a Windows MCE PC to a domain at Windows Media Center 2005 Can't Join Domains, though. If there is actually a way to join a system running MCE to the domain in the house, I am more apt to buy a system with that Microsoft operating system.
Oh, well, another way in which Linux is superior to Windows. Unfortunately, two users of the system use it to play GoPets and I don't believe there is a Linux client, though I did find a comment from a GoPets representative at F13.net - Usefully Cynical Commentary >> AGC Interview with GoPets! that their partner in the Phillipines have suggested a Linux client be created.
I can remember how Microsoft used to charge hundreds more for Windows NT server than it did for Windows NT Workstation. An O'Reilly webpage, Differences Between NT Server and Workstation are Minimal, states the difference was $800 and that Microsoft claimed that there were technical reasons why there were restrictions on the number of simultaneous connections you could have to a web server running on Windows NT Workstation. Yet all it took to get the same functionality on Windows NT Workstation were a couple of registry changes. For those who remember the olden days when DOS was the predominant operating system, it would be like charging hundreds more for a few simple modifications to your config.sys or autoexec.bat file.
Incidentally, I noted that GoPets Ltd. which is a company based in Korea has been engaged in a domain dispute with someone in America who was apparently cybersquatting on the gopets.com domain name, putting up just a page with a handful of links at that address. Some people buy domain names using names that companies are using to do business solely so they can demand large sums of money from those companies for the domain names.
bash-3.00$ cdrw -i KNOPPIX_V5.0.1CD-2006-06-01-EN.iso
Looking for CD devices...
Initializing device...done.
Size required (730036224 bytes) is greater than available space (681986048 bytes).
The file I was trying to write to the CD was 696 MB, which won't fit on a 650 MB CD, but I was using an 80 minute 700 MB CD.
The problem can be resolved by using the -C option with the
cdrw command. Without that option, cdrw will assume a default
capacity of 650 MB for CDs. To use the full 700MB capacity, you need the
-C option.
-C Uses stated media capacity. Without this option,
cdrw uses a default value for writable CD media,
which is 74 minutes for an audio CD, 681984000
bytes for a data CD, or 4.7 Gbytes for a DVD.
Once I used the option, I was able to write the .iso file to a blank CD.
bash-3.00$ cdrw -C -i KNOPPIX_V5.0.1CD-2006-06-01-EN.iso
Looking for CD devices...
Initializing device...done.
Writing track 1...40 %
Balance is a load balancing solution, which uses a simple but powerful generic TCP proxy with round robin load balancing and failover mechanisms. Its behaviour can be controlled at runtime using a simple command line syntax, which is listed below.
balance 3.19
Copyright (c) 2000-2003,2004 by Inlab Software GmbH, Gruenwald, Germany.
All rights reserved.
usage:
balance [-b host] [-t sec] [-T sec] [-dfp] \
port [h1[:p1[:maxc1]] [!] [ ... hN[:pN[:maxcN]]]]
balance [-b host] -i [-d] port
balance [-b host] -c cmd [-d] port
-b host bind to specific host address on listen
-B host bind to specific host address for outgoing connections
-c cmd execute specified interactive command
-d debugging on
-f stay in foregound
-i interactive control
-H failover even if Hash Type is used
-p packetdump
-t sec specify connect timeout in seconds (default=5)
-T sec timeout (seconds) for select (0 => never) (default=0)
! separates channelgroups (declaring previous to be Round Robin)
% as !, but declaring previous group to be a Hash Type
example:
balance smtp mailhost1:smtp mailhost2:25 mailhost3
balance -i smtp
Balance is Open Source Software (OSS) and is provided under the Gnu Public License (GPL). It runs on Linux, FreeBSD, BSD/OS, Solaris, Windows using Cygwin, Mac-OS X, HP-UX, and other operating systems.
To use balance to forward print jobs from the PC through the Ultra 5 workstation to printers on the other side of the Ultra 5 workstation, I installed balance on the Ultra 5 system and then issued the following command:
# balance -b 192.168.1.1 515 bermuda.somewhere.org:515
I specified the -b option, since I did not want balance listening
on both of the Ultra 5 network interfaces, only the one that faces the PC.
The address for the network card to which the PC connects is 192.168.1.1.
The 515 after that address specifies that balance should listen
on TCP port 515 on that interface. I then want balance to forward any data
it receives on port 515 on the 192.168.1.1 interface to a printer with
a network name of bermuda.somewhere.org. The :515 at the end
of the printer's network name indicates that balance should forward data to
port 515 on the printer. TCP port 515 is the port for the
Line Printer Daemon (LPD) protocol. It is a standard
port on which network printers listen for print jobs. If you wish balance
to listen on ports less than 1024, which are the "well known" ports, then
you must issue the command to run balance from the root account.
I then needed to tell the PC that there is a printer available at the 192.168.1.1 address, though in actuality, the workstation at that address will simply forward any data it receives on port 515 to the bermuda printer.
First, I checked to see what printers the PC already thought were available
through the lptstat command.
# lpstat -a
laserjet accepting requests since Dec 05 19:23 2006
The system already is set up to print to laserjet, but unfortunately that printer is no longer accessible, which is why I need to use balance and the bermuda printer.
I then used the lpadmin command on the PC running Solaris 10 PC
to add the new printer.
# lpadmin -p bermuda -s 192.168.1.1
The first lpadmin command has a -p argument, which
specifies the printer name I want to use on the PC for the printer. I am
going to use the name bermuda to make it match the name on
the network name of that printer, but it wouldn't have to match. The next
argument is specified with -s. The -s option is
followed by a system name, e.g. ultra5.somewhere.org, or IP address. I used
the latter and specified the IP address on the Ultra 5 workstation to which
the PC is connected. The -s option is used to make a printer
available on another system available to the local system.
-s system-name[!printer-name]
Make a remote printer (one that must be accessed through
another system) accessible to users on your system.
system-name is the name of the remote system on which
the remote printer is located it. printer-name is the
name used on the remote system for that printer. For
example, if you want to access printer1 on system1 and
you want it called printer2 on your system:
-p printer2 -s system1!printer1
Once I added the printer, I wanted to make it the default printer, which
I can do with the -d option for lpadmin.
# lpadmin -d bermuda
If you want to check which printer is the default printer, you can use
the command lpstat -d.
# lpstat -d
system default destination: bermuda
Now, if I check printer status with lpstat -a, I see both
the old and new printers listed.
# lpstat -a
laserjet accepting requests since Dec 08 19:32 2006
bermuda accepting requests since Dec 08 19:32 2006
_default accepting requests since Dec 08 19:32 2006
If I want more details, I can use lpstat -s.
# lpstat -s
scheduler is not running
system default destination: bermuda
system for laserjet: 192.168.1.1
system for bermuda: 192.168.1.1
system for _default: 192.168.1.1 (as printer bermuda)
To get rid of the entry for the no longer accessible laserjet printer,
I used the lpadmin -x command.
# lpadmin -x laserjet
# lpstat -a
bermuda accepting requests since Dec 08 19:57 2006
_default accepting requests since Dec 08 19:57 2006
Solaris stores the information about printers in /etc/printers.conf, so the lpadmin commands are modifying that file.
After adding the printer, if I then want to make it visible to a user account that is using the Java Desktop System for the user interface, I need to take the following steps:
Now when printing from the Solaris 10 PC, I can print to the bermuda printer from the user account under which I made the above changes by selecting it as the printer in applications.
References:
The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" from the Windows Control Panel to remove entries named "Surf Sidekick", "ItalMgr", "Command", "RelevantKnowledge" and "MarketScore" before going through the manual uninstall instructions. However, none of those existed.
The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware.
%ProgramsDir%\Msnmaker\
%ProgramsDir%\Quick Links\
%ProgramsDir%\InetGet\
%ProgramsDir%\FREEPR~1\
%ProgramsDir%\Freeprod Toolbar\
%ProgramsDir%\Cas\
%ProgramsDir%\CasStub\
%ProgramsDir%\CMSystem\
%ProgramsDir%\System Files\System.exe
%ProgramsDir%\System Files\plugin.dll
%ProgramsDir%\Yazzle Sudoku\
%WinDir%\etb\pokapoka73.exe
%WinDir%\etb\pokapoka75.exe
%WinDir%\exe82.exe
%WinDir%\bsx32\
%WinDir%\etb\
%WinDir%\jptc.dat
%WinDir%\offun.exe
%WinDir%\rk.exe
%WinDir%\rlvknlg.exe
%SystemDir%\PSof1.exe
%SystemDir%\exp.exe
%SystemDir%\wintask.exe
%SystemDir%\adcomplusanalytic.exe
%SystemDir%\ichckupd.exe
%SystemDir%\bho.dll
%SystemDir%\nsb12.dll
%SystemDir%\APD123.exe
%SystemDir%\wuauclt.dll
%SystemDir%\202_app13.exe
%SystemDir%\APD123.exe
%SystemDir%\MTE2ODM6ODoxNg.exe
%SystemDir%\PopOops.dll
%SystemDir%\PopOops.dll
%SystemDir%\SI.exe
%SystemDir%\SWLAD1.dll
%SystemDir%\SWLAD1.dll
%SystemDir%\atmtd.dll
%SystemDir%\atmtd.dll._
%SystemDir%\dist001.exe
%SystemDir%\installer216.exe
%SystemDir%\nstD.dll
%SystemDir%\uc.exe
%SystemDir%\wuauclt.dll
%SystemDir%\AOP2.exe
%SystemDir%\repairs302972979.dll
%WinDir% is a
variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or
C:\WINNT (Windows NT/2000).
%SystemDir% is a
variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramsDir% is a
variable. By default, this is C:\Program Files.
I created a batch file, pacerd_bundle-files.bat to search for any intances of the above files or directories on the system. None were found.
I then checked the registry for the presence of any of the registry keys the Kephyr webpage listed as being associated with the malware. I found only one of the listed registry keys. The one I found was associated with a Windows startup entry for winsync.
C:\>reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /
v winsync
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsync REG_SZ C:\WINDOWS\System32\kdkgpx.exe reg_run
However, I did not see that file on the system, even when I booted into safe mode. And none of the listed files were found on the system when I checked under safe mode, also.
I deleted the registry key with the reg delete command.
C:\Documents and Settings\Administrator\My Documents>reg delete HKEY_LOCAL_MACHI
NE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v winsync
Delete the registry value winsync (Y/N)? y
The operation completed successfully
When I scanned the system again with Bazooka, it did not report the presence of Pacerd.bundle. The registry key it found previously was likely a remnant of spyware previously removed by another antispyware program on the system.
References:
The uninstall procedure on the Kephyr webage suggested using "Add or Remove Programs" in the Windows® Control Panel to remove the malware. I looked for "SpySheriff" and "WeirdOnTheWeb" entries as suggested, but found none.
The Kephyr site indicates that the presence of any of the files or directories listed below may indicate a system is infected with this malware.
c:\loader.exe
c:\mailz.txt
c:\sys.exe
c:\tmp.txt
c:\trig.dtl
c:\winstall.exe
%WinDir%\weirdontheweb_topc.exe
%WinDir%\zsettings.dll
%WinDir%\tool1.exe
%WinDir%\tool2.exe
%WinDir%\tool3.exe
%WinDir%\svchost.exe
%WinDir%\ms1.exe
%WinDir%\ms2.exe
%WinDir%\ms3.exe
%WinDir%\ms4.exe
%WinDir%\msmsgr2.exe
%WinDir%\drexinit.dll
%WinDir%\kernels32.exe
%WinDir%\vr_sys.dll
%WinDir%\desktop.html
%WinDir%\dvpd.dll
%WinDir%\installer_SIAC.exe
%WinDir%\sasent.dll
%WinDir%\sasetup.dll
%WinDir%\cdmweb\
%SystemDir%\latest.exe
%SystemDir%\maxd.exe
%SystemDir%\newdial.exe
%SystemDir%\realupd32.exe
%SystemDir%\realupd_32.exe
%SystemDir%\thn.dll
%SystemDir%\thn32.dll
%SystemDir%\tibs.exe
%SystemDir%\vx.tll
%SystemDir%\init32m.exe
%SystemDir%\cssrs.exe
%SystemDir%\abc.exe
%SystemDir%\paytime.exe
%SystemDir%\vxgame1.exe
%SystemDir%\vxgame2.exe
%SystemDir%\vxgame3.exe
%SystemDir%\vxgame4.exe
%SystemDir%\win32.exe
%SystemDir%\newdial1.exe
%SystemDir%\zolk.dll
%SystemDir%\ztoolber.dll
%SystemDir%\ztoolbar.bmp
%SystemDir%\ztoolbar.xml
%SystemDir%\~update.exe
%ProgramsDir%WeirdOnTheWeb\
%WinDir% is a
variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or
C:\WINNT (Windows NT/2000).
%SystemDir% is a
variable. By default, this is C:\Windows\System (Windows 95/98/Me), C:\WINNT\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%ProgramsDir% is a
variable. By default, this is C:\Program Files.
The file svchost.exe is part of the list, but is also a file normally found on Windows systems. On Windows NT and later systems, though, it is found in %WinDir%\system32, rather than in %WinDir%. The Kephyr webpage indicates its presence in the %WinDir% directory indicates the presence of this malware.
I created a batch file,
searchterror-files.bat to search for any intances of the above
files or directories on the system. The script did not find either of
the two directories associated with the malware %WinDir%\cdmweb\
nor %ProgramsDir\%WeirdOnTheWeb\. The only file from the list which it found was
C:\temp.txt, which had a creation timestamp of
Thursday, December 23, 2004, 4:21:31 PM. When I renamed that file,
Bazooka no longer reported the presence of Exploit searchterror.com
on the system. Since it didn't find any registry entries associated with
the malware, I believe the report was a false positive.
References:
