# WinVNC



## shaggy29us (Mar 10, 2003)

When I reboot my machine, I get a window that pops up and ask what configuration I want to make to WinVNC. I have never installed this program, but my understanding is that it is a remote access program. How do I remove it or track down it's user?


----------



## Rockn (Jul 29, 2001)

Someone has installed it and set it up to start automatically. There isn't really any way you can track who is connecting ulsess there is a log file setting in the application. Just uninstall it unless you want to do some covert ops and bust whomever installed it.


----------



## shaggy29us (Mar 10, 2003)

Unfortunately, it is running in some type of STEALTH MODE. It doesn't show up anywhere. I can't search files or anything and find it. Yes, I would like to find out where it is coming from OR going to.


----------



## JohnWill (Oct 19, 2002)

X-Setup will allow you to see all the places that Windows starts up software easily, and you'll find VNC in the list. Since you didn't mention any system or O/S details, it's hard to be more specific.


----------



## chesindy (Jun 10, 2003)

I'm having the same problem with WinVNC running on startup, and I suspect that it's responsible for me suddenly getting messenger popups and even a virus. Unfortunately, it came back even after I reinstalled Windows 2000 Pro. 

I'd like to remove WinVNC, but it doesn't appear in Add/Remove Programs. I've downloaded X-Setup, but I can't seem to find it there either. Can anyone help me use X-Setup or another utility to remove this program? Thanks!


----------



## RandyG (Jun 26, 2000)

In Win2k, vnc server is usually run as a service. Disable it form Start, system, Control Panel, administrative Tools, Services and it will belisted as VNC Server. Double-click it, and then click on Stop, and in Startup type, set it to disabled.


----------



## JohnWill (Oct 19, 2002)

VNC is a remote control application that is on the up-n-up. I have no idea how you got it installed without your knowledge, but it's time to do a serious security review of your system!


----------



## Anverion (Jun 14, 2003)

Hey guys,

The first time I ran the Viewer, I saw one of my Icons. Waited for a few minutes and VNC automatically shut down. Restarted the viewer and I can see the desktop, but nothing else. Do I have to modify anything on the viewer machine to get this to work?
I'm running Win2K on the server side and XP on the viewer end. Does this make a difference?

Also, I had someone at work watching my server computer while I was running the viewer at home and he said he saw my mouse moving. He also informaed me that my desktop changed colors once I was connected.

Any help would be appreciated.

-Anvy


----------



## WytBox (Jun 25, 2003)

I have used WinVNC as a great terminal services app...but I have also seen it abused in a rootkit by some mIRC monkeys. A user I support complained that it was "Popping up on startup"...and had no need (nor the skills) to actually be using WinVNC. A quick check of his system showed that his (ADSL internal, non firewalled) box was completely owned by a large group of mIRC users...and WinVNC was one of the apps they used to configure the box.

Like the original poster, this thing was very well hidden...did not appear in services or add/remove.


----------



## axco (Jul 11, 2003)

I also have WinVNC popping up when my desktop starts up. Like others here, I can't find any evidence of this program in the usually places in order to get rid of it. I checked also in the Administrative Tools folder, as RandyG suggested, but the program VNC Server is not listed. I also run Win2k pro and upgraded from a win98 installation. Any thoughts on how to disable or uninstall this bugger? Thanks Axel


----------



## RandyG (Jun 26, 2000)

have you guys searched the registry for vnc?

Start, Run, regedit and hit enter

press f3 and type in vnc and hit enter.

I just ran it, and every instance of vnc I found was for the program RealVNC, esVNC, WinVNC, or UltraVNC. There were no other instances of vnc in my entire registry, so it may be that if you find any references, they would be safe to delete.

I would recommend, before deleting them, post back here for verification, and always backup your registry before changing things.

all of you should definitely think about the following

Kerio Personal Firewall is good, uses less resources than many, and is free.

Also, make sure you have cleaned out your PC of all useless garbage that would affect its performance.

Get Ad-Aware and HijackThis to clean your PC of unwanted and resource hogging ads and spyware.

Make sure you have a good, updated, AntiVirus package running.


----------



## MsPCGenius (Apr 24, 2000)

Ahem, speaking from an IS Security business perspective , if these are PCs located in your office, I suggest that you contact your IS Department (Help Desk, etc.) to determine if the install was legitimate. 

If it is, it was probably pushed down to your system and you will not be able to uninstall. You also should have a clear understanding of your company's policies and procedures regarding the deletion of company-installed applications. You do not want to jeopardize your standing with those who give you a paycheck


----------



## RandyG (Jun 26, 2000)

good point, but if they are running in an office environment, and on Win2000, more than likely they won't have access to these areas.

However you bring up another good point in that if they are on just user accounts, then the application could be hidden from you, and you won't be able to change it.

However, i bow to the wisdon of your statement, MsPCGenius!


----------



## axco (Jul 11, 2003)

I just searched my registry for VNC and that what i got back:

Under HKEY_CURRENT_USER\software I have an entry called ORL with two directories. One is VNCHooks and the other WinVNC3

Under HKEY_LOCAL_MACHINE\software I have an entry called ORL with the directory WinVNC3

Under HKEY_ USERS\.DEFAULT\software I have an entry called ORL with two directories. One is VNCHooks and the other WinVNC3

Under HKEY_ USERS\.S-1-5-21-145-..\software I have an entry called ORL with two directories. One is VNCHooks and the other WinVNC3

Is it save to delete all WinVNC3 references?
Thanks, Axel


----------



## RandyG (Jun 26, 2000)

Yes, all of those are for winvnc

Yes, you can delete them

If it's your work computer, you hold responsibility for it.

I'd still recommend backing up the registry, just in case, before the deletion. Always the safest bet.


----------



## MsPCGenius (Apr 24, 2000)

> If it's your work computer, you hold responsibility for it.


And now, I bow to your wisdom. 

I am always concerned that -- although the advise offered at this forum is most excellent -- I can't help but wonder how many people are attempting to "fix" a company-owned PC, which potentially can get them in big-time trouble 

For example, why would anyone in a home environment have VNC installed???

It is my nature to worry...


----------



## axco (Jul 11, 2003)

It's a company owned laptop. This "company" is only a handful of people (only 3 people had access to the machine). While the laptop is in the office it's hooked up to Windows network server with DSL access. On the road the Internet connection is thru telephone modem. The only thing I can think of is that this program was installed by clicking on an email attachment or by clicking on a link on a website without knowing what was actually installed.


----------



## axco (Jul 11, 2003)

I deleted the entries in the register, however the stupid WinVNC window still pops up after I reboot and the entries re-appear in the register. Something re-creates this entry.


----------



## RandyG (Jun 26, 2000)

Ok, if it's a work computer, than more than likely, your "IT" departemnt installed it, cause vnc will enable them to connect to your machine, and operate it remotely. Much less time consuming than having to talk you through a problem, come to your location, or have you come to their's.

If you have removed the entries in the Registry, rebooted, logged on as your user account, then I am lead to believe a script is running from before Win starts, or from an Administrator's hidden account. either way, you should really check with your IT Department and see whather or not it is necessary, part of their installation scheme, or make them aware they need to fix it.

MsPCGenius - When someone comes in here, or rather 3 someone's, and say they never installed it, it tends to make me worry. 1 person maybe, installed it and forgot it, but 3 with the same issue makes me wonder if ysome script kiddie is exploiting the versatility of the free alternative to VPN or PCAnywhere. My LAST thought is whether it's a work computer, cause I *assume* folks using a work computer would ask their own IT Department what it is before us! And even if that is not the case, and the person is trying to disable a feature that the company does not want disabled, they will be unable to do so with simple techiques such as the ones we have mentioned here.

You're dead right about your comments. I shouldn't assume anything!


----------



## axco (Jul 11, 2003)

The comany is us, the small handful of people. There is no IT department. We got this script from somebody else.


----------



## JohnWill (Oct 19, 2002)

I suspect there is some other entry in the startup somewhere that is loading VNC. Of course, if you nuke VNC itself, I can't imagine how this other application could start it. Have you tried deleting all the VNC files?


----------



## RandyG (Jun 26, 2000)

Log in as administrator and search for it, and remove it.


----------



## rallynut (Aug 5, 2003)

I have just run across this same problem on a friend's W2K computer. I updated his virus DAT files and it cleaned up a lot of virii. It still had the WinVNC screen at login.

I found that editing the registry as shown in the following page took care of that for good.

http://www.sophos.com/virusinfo/analyses/w32delodera.html

This is the part that solved his problem:

In Windows NT/2000/XP you will also need to edit the following registry entries. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
messnger = <pathname of worm>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = %Fonts%\explorer.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMan = %Fonts%\rundll32.exe

and delete them if they exist.

Close the registry editor.


----------



## axco (Jul 11, 2003)

Thanks rallynut,
I checked the entries in the registry on my computer

At the HKEY_LOCAL_MACHINE entries:

I do not have a line like shown below:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
messnger = <pathname of worm>

I do have the entry as shown below but without the % symbol in front and back of Fonts
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explorer = %Fonts%\explorer.exe

I do have the entry as shown below but without the % symbol in front and back of Fonts
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMan = %Fonts%\rundll32.exe

Since that is not the same as in your message I kept the entries and yes, I still have the WinVNC window at startup.
Thanks, Axel


----------



## rallynut (Aug 5, 2003)

I'd recommend making a backup of your registry and then removing those two lines and see if it helps. If nothing else you can always restore the backup to put you back where you are now.

FWIW, I do not have any of those 3 lines in my W2K registry.


----------



## RandyG (Jun 26, 2000)

Well, I'll also verify that I haven't got a TaskMan or Explorer line in my Run folder.

I'd definitely take them out, especially since rundll32.exe is supposed to be in your winnt/system32 folder, and explorer.exe should be located in winnt folder (might have others located in service pack folders or uninstall folders).

Simple fact is neither of those should be in a fonts folder!!

Do a search of your system for rundl32.exe. There should definitely only be one on your system.

Good catch rallynut!


----------



## RandyG (Jun 26, 2000)

and just read the link about the sophos virus . . .

it sounds like our friends here are, or were, definitely infected!!!


----------



## axco (Jul 11, 2003)

I did remove both lines and this did solve the problem. The WinVNC window did not come up after I rebooted the machine. Thanks a lot for all the help
Axel


----------



## chittster (Aug 12, 2003)

After a 9 hour battle I just wanted to say thanks to all who have been working on this problem. Seems to me that the ole VNC issue is very closely related to a virus that is going around out there. My Mother runs win2k on her machine and called me the other day with issues. It seems that not only does the virus keep popping up the VNC settings screen, but it also destroys all executable files it sees running. Quite the good time. FYI there were two viruses that showed, a W32.valla.2048, and a hacktool virus. Norton was the best at spotting all 550+ instances I had but couldn't totally clean everything. No matter how hard I tried though, I couldn't get rid of the WinVNC until I read your threads here. The regedit path is the best bet, actually it was the only one that worked. Anyhow, anyone that sees this happening, invest in a good anti-virus scan and good luck! Once again, thanks everyone!


----------



## PostManNSC (Aug 21, 2003)

OK folks, I finally found it. A friend of mine told me that you can copy MSConfig from an XP box onto floppy & take it to an Win2K or W2KAdSrv box & it'll work. Damn if it didn't!!

Anyhow, after loading MSConfig on the system I found where the blasted WinVNC files are hidden in the system. If you look in the startup tab under MSConfig you will see an entry with this path in it:

C:\winnt\fonts\truetype\...

That's where the files are, its 3 files:

omnithread_rt.dll
VNCHooks.dll
vnsystask.exe

You will have to reboot to safe mode to delete these files, and u can use the MSconfig at any time to remove the vnsystask.exe from starting up. That's what I found, I just thought I'd leave a message if those of you who are still looking need some help.

Later,

The Post Man


----------



## JohnWill (Oct 19, 2002)

It sounds like someone used VNC to create a backdoor into systems, by itself, VNC is just a very useful remote control program. When I use VNC, it nicely has an uninstall that will remove it, obviously the malware guys don't think you need an uninstall!


----------

