The ~1 indicates that the names are the MS-DOS 8.3 forms of longer Win32
filenames. The files could have been installed by a remote VNC batch
installer script (there are several contributed variants) or by a malicious
user wishing to snoop
<PARANOID>
Ah. Actually, it looks like the latter. Notice that the hook DLL is not
called VNCHooks.dll. This means the program must have been recompiled with
the new name, so it's probably a VNC-derived hacked executable. :(
</PARANOID>
James "Wez" Weatherall
--
"The path to enlightenment is /usr/bin/enlightenment"
Laboratory for Communications Engineering, Cambridge - Tel : 766513
AT&T Labs Cambridge, UK - Tel : 343000
----- Original Message -----
From: "derek Ngai" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 01, 2001 8:29 AM
Subject: Re: Another instance of WinVNC is already running
> Thank you for asking me this simple but helpful question. I thought that
no VNC should have been running because every instance of files with names
containing "vnc" had been removed, and system restarted.
>
> But then I thought twice. In the Admin Tools: Services panel, I found a
mysterious "SYS_1_~1 Service" entry - no Description, unlike those Microsoft
services. Here is the "Path to executable":
>
> "c:\winnt\system32\sys_1_~1.exe" /service
>
> Simply stopping this mysterious service solves the problem!! James, thanks
for your hints!
>
> Looking into the system32 directory curiously, I found there were 3 files:
>
> sys_1_~1.exe
> SYS_1_~1HKS.DLL
> sys_1_~1.dat
>
> I suspect these were neither created by Win2K nor VNC. Anyone else has
seen these pieces before?
>
> Regards,
> -- derek Ngai
>
> -----Original Message-----
> Date: Tue, 29 May 2001 15:07:15 +0100
> From: "James ''Wez'' Weatherall" <[EMAIL PROTECTED]>
> Subject: Re: Another instance of WinVNC is already running
>
> > For some reasons I restarted my Win2K web server (IIS) yesterday, and
the
> > VNC Server (3.3.3r2) no longer worked. It said "Another instance of
WinVNC
> > is already running" after the first login since a Win2K restart. But
WinVNC
> > was *not* running.
>
> How do you know WinVNC was not running?
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to [EMAIL PROTECTED]
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
