help about "reading version failed: not an RFB server?"

Alex Pelts alexp "at" broadcom.com
Fri Nov 3 18:36:01 2006 

This is possibly some spyware or trojan which hides its process from 
process manager. You can try to use tools from sysinternals.com to 
discover this process. Also run updated anti-virus software to check if 
there is any virus.
When you run anti-virus disable windows restore because if the file is 
in one of the windows directories it will be restored right back. You 
should have your hand full with this one. Don't let is slide though 
because it may be some key logger of some zombie software.


Alex

danidani wrote:
> PID is 1576 but it doesn't correspond to any PID that is listed in the 
> Task Manager
> 
> quite strange isn't it?!
> 
> 
> 
> 
> On 11/3/06, *Alex Pelts* < alexp "at" broadcom.com 
> <mailto:alexp "at" broadcom.com>> wrote:
> 
>     Under win xp you can run "netstat -a -o". That will give you pid of
>     process which owns each connection. From there you can run task manager
>     and find out who opened that connection. On unix there is a similar
>     facility although switches are different and you need to be root to
>     do it.
> 
>     Regards,
>     Alex
> 
> 
>     danidani wrote:
>      > GREAT, it works with this trick!!
>      >
>      > Now the question is... which program is using port 5900??!
>      >
>      >
>      >
>      >
>      > On 11/3/06, John Aldrich < john "at" chattanooga.net
>     <mailto:john "at" chattanooga.net>> wrote:
>      >> On Friday 03 November 2006 10:50, danidani wrote:
>      >>> Doing telnet ipaddress 5900 I obtain:
>      >>> : Welcome!psyBNC "at" lam3rz.de <mailto:Welcome!psyBNC "at" lam3rz.de>
>     NOTICE * :psyBNC2.3.1
>      >>>
>      >>> running telnet ipaddress 5907 I get
>      >>>
>      >>> RFB 003.008
>      >>>
>      >>> and that is correct because I changed the port on the vnc server
>      >>>
>      >>>
>      >>> Anyway I don't get access yet.
>      >>>
>      >> Try adding :7 to the name or IP address of the PC you're
>     attempting to
>      >> connect
>      >> to from remote. Or you can put ::5907 after the name/ip address
>     of the PC.
>      >>         John
>      >> _______________________________________________
>      >> VNC-List mailing list
>      >> VNC-List "at" realvnc.com <mailto:VNC-List "at" realvnc.com>
>      >> To remove yourself from the list visit:
>      >> http://www.realvnc.com/mailman/listinfo/vnc-list
>      >>
>      >
>      >
>      >
> 
> 
> 
> 
> -- 
> skype: danieleda
> msn: scriviadani "at" gmail.com <mailto:scriviadani "at" gmail.com>