I’ve been visiting userintervention.com lately. Not a whole lot happening there yet, but keep an eye on it. The more people visit it, the better it will get.

On my remote Win2k Pro project, I’ve got a good start. I copied the stuff from Advanced Server to show Terminal Services in the Add/Remove Programs dialog. From there, I found the main TS .inf file, and modified it so that I could just right-click and Install it. A whole bunch of files later, I have Terminal Services installed as a service on Win2k Pro. However, it doesn’t actually start up, so now I’ve got to poke around to see what’s behind that.

I have a new project in mind. From all my research, nobody has done it yet, but many people would love to have it. I actually saw a post describing the method I plan to use, but I haven’t seen anyone attempt it yet.

I want to get RDP/Terminal Server working in Windows 2000 Pro. You can install the RDP client to connect to other servers, but that doesn’t help connections to that PC. You can install Terminal Services on Win2k Server, and WinXP Pro has its limited Remote Desktop server, but that doesn’t help in trying to connect to Win2k Pro. I have a few PCs at work that simply cannot be upgraded to WinXP. For some reason, NT4 drivers work on Win2k, but not XP. This device only has NT4 drivers. I found some Win2k drivers for the card (I think, it’s an obscure card to begin with), but they don’t work at all, even in Win2k. Dr. Watson said something about the driver creating an infinite loop. Neato! So anyway, I want to add the ability to RDP into Win2k Pro desktops one way or another…

Wow, here’s another neat little trick I found while wandering the net. Verify URL. That’s a link to javascript:alert(‘The real host of this site is: ‘ + location.protocol + ‘//’ + location.hostname + ‘/’); so you can drag it to your bookmarks or toolbar or anywhere else it’s handy. A bookmarklet is when you create a bookmark out of a Javascript function. The bookmark always performs some function upon the current page, whether it’s incrementing a number in the URL (to go from page001.html to page002.html) or something more complicated. Anyway, this bookmarklet simply takes the protocol and hostname and echo them in a dialog box. Keep this shortcut handy, and use it whenever you’re wondering if you’ve been taken to a spoofed site.

Though I guess it’s a little late now, since Microsoft removed the most common type of spoofing by totally eliminating the ability to send usernames directly in URLs…

And another toy from me. http://www.invisibill.net/url.php is a very simple script. As usual, you can see the source at url.php.txt. All the script does is take whatever you type in the text box and create a link out of it. It uses the input as both the linked text as well as the destination for the link. Try it – just enter a URL and hit Enter, and you’ll see how it works. It doesn’t do much, but it’s handy when you want to create a clickable link so you can right-click and Save As.

As you can see in my fancy new RSS feed, there’s a new version of Bagle going around. The SNP article has links to all the major AV companies’ reports on it, so I’m not going to bother linking to them from here. As with the original, I’ve got a removal script. unbagleb.inf will remove the registry stuff and the program file itself. As with all my other scripts, they can’t delete files if they’re in use. Either open up Task Manager with Ctrl+Alt+Delete and kill AU.EXE before running the script or run the script to get rid of the autorun stuff in the registry then reboot and run the script again to delete the files. Bagle.B is really only a minor tweak on Bagle as far as how it actually infects your system, so this removal script is basically just a few changed names as well.

You may have noticed that I added a news feed toward the bottom of the gray “nav” bar on the left. For now it’s mostly just an experiment, so it’s very subject to change.

Right now it’s pulling http://www.prognosisx.com/infosyssec/securitynewsportal.xml, formatting it, and dumping it over there. At first, I was using a script made of a few functions I found to format the XML. It had the URL of the feed right in the code. snpxml.php.txt is the code for that. I thought it would be much easier if I could send the feed’s URL as a parameter, instead of hardcoding it into the script. After a few minutes of searching, I found out that PHP will automatically make variables for anything it finds in the querystring. That made my conversion infinitely easier. Instead of setting up a bunch of junk to create a variable in the function that got the data from the querystring, I just had to remove the existing declaration for $feed and tack it on when I called the script. readnews.php.txt is the new script (with $feed removed at the beginning). Now I just have to call it with something like http://www.invisibill.net/readnews.php?feed=http://www.prognosisx.com/infosyssec/securitynewsportal.xml. Now PHP automatically converts the URL passed in the querystring to $feed, and I don’t need to change anything else for it to work. I also added in a bit of error correction so that it exits if you don’t pass it a value.

Ok, finished up my BartPE CD last night. WOW! That’s all I can say. I copied the format of the Compaq Smart Array Driver plugin and created a plugin for the HighPoint HPT370 IDE RAID controller on my motherboard. Spent some time downloading the files needed for the plugins I wanted (it includes the interface stuff and instructions, but you have to get the actual files yourself), then let it make the ISO. I burned it to a CD, then restarted and booted off it.

It installed both my ethernet and HomePNA network cards, got an internet IP address via DHCP, Nero loaded up and included my CD-RW just like in my regular WinXP install, and I could access the NTFS partitions on my RAID drives. BEST BOOT DISK EVER!

Now I just have to get every util I’ll ever need added in, and I’ll be set.

I highly recommend this to anyone who can figure it out. It’s not AOL-easy, but it shouldn’t be too hard for anyone with moderate geekiness.

http://www.nu2.nu/pebuilder/

Bart’s PE Builder helps you build a “BartPE” (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.

It will give you a complete Win32 environment with network support, a graphical user interface (800×600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on.
This will replace any Dos bootdisk in no time!

I was following this a few (probably about 8 now…) months ago when it was dealing with the legal side of things, and was temporarily unavailable. I had forgotten about it until I stumbled across it in a search for other info last week. I haven’t actually made mine yet, but I plan to soon. I thought it looked awesome back then, and it only seems to have improved since then. It can be extended via plugins, which appear to require a bit of manual work to install (downloading programs or including your own licensed versions).

It’s really a basic version of Windows XP on a CD or DVD. This means it can get around some limitations imposed by any form of DOS boot disk (even if it’s emulated on a CD). You can access storage devices not detected by the BIOS (USB or some fibre channel devices) and very large (>2TB) NTFS volumes. Obviously not a huge deal to everyone, but if you need it, you can’t really do without it. The process for making this CD, especially with lots of custom stuff, is probably above most AOLers, but if you’re interested in this sort of thing, you can probably handle it.

A friend just sent me this link. It’s a search for all post-SP1 patches for WinXP. Download all of those and burn them to a CD. Then you can install your slipstreamed WinXP SP1 and have it fully patched before ever getting online with it. It’s also handy for getting all the patches to archive, for your own use or for someone else who doesn’t have broadband or something.

There’s a variant of the Mydoom virus going around now. Mydoom.B also targets microsoft.com for the DDoS. It’s mostly a clone, with some filenames changed. http://files.invisibill.net/unmydoomb.inf will remove the new version, just like my last one did on the original.

However, the B version also tampers with your hosts file. A hosts file is a text file that lists some names and the IP addresses they should correspond to. The most common entry in a hosts file is 127.0.0.1 localhost. This is the standard loopback address, and tells the system that you mean your own PC anytime you use the servername localhost. Mydoom.B adds a bunch of common servernames and points them at 0.0.0.0, making it so that your computer can’t connect to those sites. Most of the sites are places you would go for updates or virus info – it attempts to cut you off from finding the information to fix the problem.

ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
click.atdmt.com
clicks.atdmt.com
dispatch.mcafee.com
download.mcafee.com
download.microsoft.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
go.microsoft.com
liveupdate.symantec.com
mast.mcafee.com
mcafee.com
media.fastclick.net
msdn.microsoft.com
my-etrust.com
nai.com
networkassociates.com
office.microsoft.com
phx.corporate-ir.net
secure.nai.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
support.microsoft.com
symantec.com
update.symantec.com
updates.symantec.com
us.mcafee.com
vil.nai.com
viruslist.ru
windowsupdate.microsoft.com
www.avp.ch
www.avp.com
www.avp.ru
www.awaps.net
www.ca.com
www.fastclick.net
www.f-secure.com
www.kaspersky.ru
www.mcafee.com
www.microsoft.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.ru
www3.ca.com
(microsoft.com is only added if it’s not within the DDoS date range)

Once the virus is on your system, you won’t be able to successfully connect to any of those sites. The fix is fairly simple though. You just need to remove those lines from your hosts file. You can search for “hosts” or it should be in your Windows directory on Win9x (C:\Windows\hosts) or under your system directory on WinNT (C:\WinNT\system32\drivers\etc\hosts). The hosts file doesn’t have an extension, so you may need to have Notepad (or whatever editor you’re using) look at all filetypes to open it. That’s the dropdown box under the filename in the Open box.

Now that you’ve got the hosts file open, you should see lines with “0.0.0.0” and the servernames above. Just delete any line that starts with 0.0.0.0 and has one of these servernames. Some ad-blockers will add names of ad servers here (so that you never connect to the ad server), but you should be able to tell which ones are valid servers blocked by the virus and which ones are ad servers blocked by another program.