Dispelling Rumours
Okay, wait, before I come up with a decent post, I *do* see an urgent need to dispel the rumours being posted here and there, and of course, being chatted about in everyday blabber, which somehow, people tell other people, and then those other people, tell me. I'm not everywhere in the place, but I still do hear things, you know. 
Rumour #1: "RP has put spy software on our computers, they can see whatever we're doing (when we're in the domain)! OMG!"
Clarification: Yes, and No.
Let me answer the part on "Yes" first – it *IS* possible for RP Staff / Administrators who have permissions in their servers – those machines which we all connect to (Technical term: Domain Controllers) – to connect in. In fact, there is even a "application*" called Remote Control in your Control Panel. You can find it at Start > Control Panel > Remote Control.
* Technical term: The application is actually a Control Panel extension involved with the Microsoft SMS 2003 client. Google for it if you're interested!
However, NO, they don't *need* that program to "spy" on us if they want to! Since they have some really powerful rights (think of it as some power) on those servers mentioned above, rights which are called called Domain Administrators, they can basically run anything without our knowledge, through many ways, one of them being Advertised Programs. Sounds familiar? =X
Processes like cmmon32.exe are merely applications which "customize" RP network settings such as the RP Student VPN program – give it a beautiful logo, and make it look really "formal", don't read too much into them. For the technically proficient: If you do want a formal technical memory dump of the program, do contact me 
Rumour #2: "After I visit Yandao.com, I got multiple popups?"
Clarification: Seriously, if I wanted to bug you with popups, I wouldn't have bothered offering to help everyone fix spyware. The popups probably came from your friend's or maybe even your thumbdrive. RavMonE.exe and mth.exe – sounds familiar when you press Control + Alt + Delete and choose Processes? There you go, spyware, a.k.a the "Thumbdrive Virus".
Oh, and the very proficient IT helpdesk people, the ones like Stanley and Richard, probably know how to fix it, just tell them the guy from Yandao.com said to look for:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run
in the registry, and for Services with Chinese names and no descriptions at times – They should be able to fix the rest with common sense, especially those 2 guys.
Better still – point them to this page! Hah!
Rumour #3: "Why must type in password in the Photo Website? Dangerous!"
Clarification: We are "downloading" the photos from RP's webserver, also known as http://myrp.edu.sg or http://myrp.sg or http://www.myrp.edu.sg. Don't believe? Check out the source code, by Right Clicking on the page, and choosing View Source! Press Control + F to search for any of the above!
You should see something like the above! If you don't understand what it means, I can always answer your queries through MSN
Rumour #4: "Add another webcam in [insert location here], leh!"
Clarification: Sorry, I don't own the webcams, just borrowing the "views" from the school. Try asking OSG or OSC maybe? Perhaps they would do one in the dark dark staircase where the couple rumours came from……… =X
Oh, and 1 last thing, its a request from me, to you all:
Could you guys kindly use the "Comment" feature to post comments relating to the posts?
I *CAN* and *WILL* answer all comments that are entered and received by my site!
Shoutbox has limited space, lah. But still, thanks for supporting!
hey is this the entire list of webcams we have in the school,because it doesnt seem so when the size of the school being rather massive in its own way.Or perhaps this are the webcams currently found or is there a way to find out the ip addresses of the ‘other’ webcams in the school
and a suggestion would be to state the location once it is verified lar,i dont think the people understand the functions of the ‘suggest location’ button and instead used it as a ‘search’ button… -.-
“Found Webcam: View Webcam: 172.16.48.11
[b]Possible Locations: W1 Datacenter, w14, w15m, W201-Datacenter 1, W25P, w16g, W1, e36l, w16k, W24P, E24R, w15b, w25e, w1, w15m, w16e, w35G, w25p, W24P, w16g, ws5p, sports complex, w26a, w15m, w24p, library, w24h, W15L, w1, w15b, “”[/b]
wtl sia…
Hmm.
This is the entire list of webcams which are by that specific manufacturer – you know, the big and BULKY ones, with LED’s on it. The rest is under a different system, which I am really hoping is not the conventional one – because then we’ll have no way of checking them out.
Tried scanning the ranges, but not enough time to do so today. Will try it out tomorrow again, heh. Anyways, if I were to verify it manually, would need 2 things: Manpower, and Time. Abit difficult. So, just only implemented something which would block anything 4 letters and below – so crap won’t show up lah.
Yes, I know. But its okay. Like the photo site, people are used to the search button already. LOL.
Try spamming it now =X
LOL. u seriously did dispell the rumours.. but u still have not come up with a decent post… with regards to the 1st sentence of ur entry. LOLS… =p
koonchin – Oh, I keep forgetting that you get, er, interested with words. Uh huh. I was meaning to post one just now, but I fell asleep on the bed. Oops. Good point though.
Here goes [decent post]
Er, u say find registry to delete popups rite where can i find registry folder?
Hmm, mire, I didn’t say that. I meant you had to follow the “common” removal procedure, registry run keys, ActiveX startups, BHO’s, Winsock LSP, loads of ways for spyware to hide.
MSN me, I’ll fix it for you
hey i got the chinese virus with no description tat one.. how ah? wat to do to remove it..?
It’s not easy to remove it, because nowadays, that Chinese virus/spyware keeps changing its name – it can even disguise itself as Flash Player 9.
But if you do really want the technical details, I think I mentioned some above, but I really *DO NOT* reccommend you attempt this on your own, because if you remove the wrong file, your computer is sooo screwed =X
Try reaching me at hot_wired13[at]hotmail.com on MSN, if you wouldn’t mind me fixing it for you, if you really wanna try, however…
– DO THESE AT YOUR OWN RISK –
Part I – Common startup methods, ActiveX/BHO, Registry Run, System.ini, Winsock LSP, Toolbar, Winlogon
1. Get HijackThis! from http://www.merijn.org/files/hijackthis.zip
2. Unzip and Run HijackThis.exe
3. Click scan, then you should see loads of results coming up
4. There is NO WAY I can tell you which is which, but those with names like: Flash9, SVOHOST, RavMonE, mth, SVOHOST, WINLOGON (if its under the Run section), Update2, winampa/realplayer (if its under c:\windows\), etc. – Those China spyware buggers keep changing the names, from what I last saw, those were the common names.
An easier way would to be tick those which you haven’t seen before or haven’t install – but always backup first, hor.
5. Click Fix – this deletes/removes (or rather, tries to) those that you have ticked.
6. Do a scan again, if some that you ticked are still there, then we have abit of a problem, which I will mention in Part IV or so later on.. For now, take paper and write down the filenames/path of the viruses/spyware
Part II – Hidden Services (as in hidden from Hijackthis)
1. Start > Run > services.msc
2. Determine which are the services which have Chinese descriptions or blank ones, such as jMediaService, and some other crap.
3. Select them, Right click > Properties
4. Notice the SHORT service name, the one that you cannot copy/paste
5. Start > Run > cmd.exe
6. Type inside the Command Prompt: sc delete [serviceName]
(like for example, service is jMediaService, I would type: sc delete jMediaService. if there are spaces, I could try: sc delete “Blah Blah Service”
7. Reboot
Part III: New hidden Explorer Policy Run Registry Key
1. Start > Run > regedit.exe
2. Navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run
3. If on the right hand side, you do see loads of crap, and even they *look* real, you ARE infected, for now, take paper and write down their filenames and path, like c:\windows\system32\tapidef.dll. Go to Part IV.
Part IV: “Deleting” files which can’t be deleted in windows
So, why can’t those files be deleted? Because they’re either part of Explorer.exe’s run policy, or a running persistent ActiveX/BHO control or have stupid memory hooks/injection.
Let’s use a very silly workaround. Heh.
1. Take that piece of paper which I told you to write the filenames
2. Start > Run > cmd.exe
3. Type this:
ren c:\windows\system32\tapidef.dll c:\windows\system32\tapidef.dll.lol
(or something similar, replace that path with the path on ur paper, lah.)
4. Reboot
Once again, I do NOT reccommend trying this out, if you are unclear at the above instructions, however, I *CAN* teach you how to do it, and *CAN* fix it for you. MSN me, call me (if you have my number – get it from a friend.), come over to my class. Anything.