Another instance of WinVNC is already running

James ''Wez'' Weatherall jnw22 "at" cam.ac.uk
Fri, 01 Jun 2001 13:57:33 +0000


The ~1 indicates that the names are the MS-DOS 8.3 forms of longer Win32
filenames.  The files could have been installed by a remote VNC batch
installer script (there are several contributed variants) or by a malicious
user wishing to snoop

<PARANOID>
Ah.  Actually, it looks like the latter.  Notice that the hook DLL is not
called VNCHooks.dll.  This means the program must have been recompiled with
the new name, so it's probably a VNC-derived hacked executable.  :(
</PARANOID>

James "Wez" Weatherall
--
          "The path to enlightenment is /usr/bin/enlightenment"
Laboratory for Communications Engineering, Cambridge - Tel : 766513
AT&T Labs Cambridge, UK                              - Tel : 343000

----- Original Message -----
From: "derek Ngai" <derek "at" surfgold.com>
To: <vnc-list "at" uk.research.att.com>
Sent: Friday, June 01, 2001 8:29 AM
Subject: Re: Another instance of WinVNC is already running


> Thank you for asking me this simple but helpful question. I thought that
no VNC should have been running because every instance of files with names
containing "vnc" had been removed, and system restarted.
>
> But then I thought twice. In the Admin Tools: Services panel, I found a
mysterious "SYS_1_~1 Service" entry - no Description, unlike those Microsoft
services. Here is the "Path to executable":
>
> "c:\winnt\system32\sys_1_~1.exe" /service
>
> Simply stopping this mysterious service solves the problem!! James, thanks
for your hints!
>
> Looking into the system32 directory curiously, I found there were 3 files:
>
> sys_1_~1.exe
> SYS_1_~1HKS.DLL
> sys_1_~1.dat
>
> I suspect these were neither created by Win2K nor VNC. Anyone else has
seen these pieces before?
>
> Regards,
> -- derek Ngai
>
> -----Original Message-----
> Date: Tue, 29 May 2001 15:07:15 +0100
> From: "James ''Wez'' Weatherall" <jnw22 "at" cam.ac.uk>
> Subject: Re: Another instance of WinVNC is already running
>
> > For some reasons I restarted my Win2K web server (IIS) yesterday, and
the
> > VNC Server (3.3.3r2) no longer worked. It said "Another instance of
WinVNC
> > is already running" after the first login since a Win2K restart. But
WinVNC
> > was *not* running.
>
> How do you know WinVNC was not running?
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------