DameWare and Hacker questions - updates

Toggle sidebar Toggle sidebar
dullard

dullard

Elite Member
May 21, 2001
25,763
4,289
126
The department I'm in had troubles with hackers about a month ago. They were using DameWare along with some other programs to use the computers as porn servers (hiding the movies in the recycle bin). Took a few days but we got that all deleted and everything was fine.

Today I went to one of the community computers (used by multiple people) and in the taskbar there is an icon for DameWare Mini Remote Control Server 3.70.10.0. It seems to not be causing any problems - but the higherups want it removed. Is there any legitimate use for it? How can I uninstall it? The people who use the computer are on vacation now - they will be questioned next week, but as of now we need it off the computer.

Update:
Got new virus program on the computer. Firewall is now working properly. Found ~60 GB out of 80 GB space is used with burned CDs and DVDs. That is being formatted at the moment. One question though. Some program SNMP.exe keeps trying to get access. Any idea what that is?
 
dullard

dullard

Elite Member
May 21, 2001
25,763
4,289
126
Originally posted by: Hossenfeffer
google says...
Click to expand...
Google says (in your link)
1) Page not available,
2) How to install DameWare,
3) Pages that don't load,
How many links do I have to try until I get my answers?
 
H

Hossenfeffer

Diamond Member
Jul 16, 2000
7,462
1
0
Lazy bastage ;)

Yes, it has it's "uses" as a remote administration utility, but is prevalent with the hacker types. Looking through some of the links (some didn't work, sure) they recommend running an up-to-date virus scan, making sure the administrator password is adequate, and head to DameWare's website for instructions on how to remove it.
 
KLin

KLin

Lifer
Feb 29, 2000
30,105
484
126
Dullard,

It looks like it's a service called DWRCS.EXE. I had it running on my computer, and I stopped the service, and set it to Manual. That's if the computer is running windows NT/2000/XP of course.
 
dullard

dullard

Elite Member
May 21, 2001
25,763
4,289
126
Ok I rebooted, stopped the DWRCS.exe task from running, deleted the DWRCS*.* files in the Windows system directory, and got rid of the registry DameWare information. (Exactly what the website said to do after quite a bit of searching). But then on reboot a program called !Glance 3.0 said it suddenly didn't have what it needed to run properly. I also never installed !Glance - but it could be possibly a desireable program installed legitimately by one of the other users. It seems that it is a screen capture program. Do you think these are related?
 
KLin

KLin

Lifer
Feb 29, 2000
30,105
484
126
Originally posted by: dullard
Ok I rebooted, stopped the DWRCS.exe task from running, deleted the DWRCS*.* files in the Windows system directory, and got rid of the registry DameWare information. (Exactly what the website said to do after quite a bit of searching). But then on reboot a program called !Glance 3.0 said it suddenly didn't have what it needed to run properly. I also never installed !Glance - but it could be possibly a desireable program installed legitimately by one of the other users. It seems that it is a screen capture program. Do you think these are related?
Click to expand...

IMHO I would assume that if the hackers were using dameware, and now this !glance program doesn't want to work without the dameware software, then I would associate it with dameware and just wipe it out too.
 
S

starwarsdad

Golden Member
May 19, 2001
1,433
0
0
Dameware is an outstanding program. We use it at work.

If I were the IT director or Admin in your company, I would be a hell of a lot more concerned about how my firewall and other measures were pentrated than I was about removing Dameware.

FWIW, Dameware only runs on NT based machines. It cannot be used to control a 9x client, nor can a 9x client be used as the "host".
 
dullard

dullard

Elite Member
May 21, 2001
25,763
4,289
126
Originally posted by: starwarsdad
Dameware is an outstanding program. We use it at work.

If I were the IT director or Admin in your company, I would be a hell of a lot more concerned about how my firewall and other measures were pentrated than I was about removing Dameware.

FWIW, Dameware only runs on NT based machines. It cannot be used to control a 9x client, nor can a 9x client be used as the "host".
Click to expand...
Its a university. Firewalls are present but sparse and it is virtually impossible to get a solid wall built. You cannot force students and professors to use them.
 
S

sharkeeper

Lifer
Jan 13, 2001
10,886
2
0
Account policies aren't strict enough! You can also add access policies as well. Make sure password rules are enforced! Users should be made to change their passwords every 10 days, not be permitted to use the same one within a year, use the same word backwards, etc. Should also be a minimum of 10 characters including upper/lower case, alpha and random symbol...

-DAK-
 
dullard

dullard

Elite Member
May 21, 2001
25,763
4,289
126
Update:
Got new virus program on the computer. Firewall is now working properly. Found ~60 GB out of 80 GB space is used with burned CDs and DVDs. That is being formatted at the moment. One question though. Some program SNMP.exe keeps trying to get access. Any idea what that is?
 
C

cavemanmoron

Lifer
Mar 13, 2001
13,664
28
91
Originally posted by: dullard
Update:
Got new virus program on the computer. Firewall is now working properly. Found ~60 GB out of 80 GB space is used with burned CDs and DVDs. That is being formatted at the moment. One question though. Some program SNMP.exe keeps trying to get access. Any idea what that is?
Click to expand...

WinTasks Process Library



snmp - snmp.exe - Process Information
Process File: snmp or snmp.exe
Process Name: Microsoft SNMP Agent
Description: The Windows Simple Network Managment Protocol (SNMP) Agent is a proxy that listens for requests and hands them off to the appropriate network provider
Common Errors: N/A
System Process: Yes



google
 
S

sharkeeper

Lifer
Jan 13, 2001
10,886
2
0
Got new virus program on the computer. Firewall is now working properly. Found ~60 GB out of 80 GB space is used with burned CDs and DVDs. That is being formatted at the moment.
Click to expand...

Sounds like you were hacked and they installed FTP Serve-U. They usually store all the porn and warez in the RECEYCLED folder. You have to set explorer to view hidden system files to see these.

Good thing you have a firewall installed.

-DAK-
 
dullard

dullard

Elite Member
May 21, 2001
25,763
4,289
126
Originally posted by: shuttleteam
Got new virus program on the computer. Firewall is now working properly. Found ~60 GB out of 80 GB space is used with burned CDs and DVDs. That is being formatted at the moment.
Click to expand...

Sounds like you were hacked and they installed FTP Serve-U. They usually store all the porn and warez in the RECEYCLED folder. You have to set explorer to view hidden system files to see these.

Good thing you have a firewall installed.

-DAK-
Click to expand...
The recycled one was going around the university a couple weeks ago. This time they used the 'system volume information' folder. But even with hidden system files turned on Windows cannot show these files - but DOS sees them clearly.

 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom