A tale to warm cockles of the Sleuthing Heart

Post #243,784 by Ashton 2/7/06 6:59:06 PM Reply	A tale to warm cockles of the Sleuthing Heart Mini-bio of someone you Don't want to Cross, and a story of how-it-Is for folks notlike-you: post beastinfection. But not the usual not-like-you: This one Learns, delves, takes notes, looks stuff up: Applies The Stuff! (And has a sense of humor about the whole schmeer - so you Know she ain't no Repo, neither.) Am ~amazed at the tenacity of my neighbor L - horses, critters, organic farm and such enviro, but keeps books for their business stuff; clearly she digs Boolean re troubleshooting, and now: re much more of the Guts than ever would I have expected. Partly, she is motivated by the surliness (think the typ Beastly Arrogance of a wet-behind-ears MCSEIEIO twerp) == the local Geek Squad types hired out by Best Bye-Bye-your-CC-$$. These were sent out, at Big Bux to deinfest her hP/ExPee notebook ticking time bomb. They pronounced it clean (dunno yet if they even reported if/what they might have found.) It wasn't. Clean, that is. Twice. Then - - They poo-poohed her hand-written LIST of the events still occurring, ignored her digi-cam pics! of silly things in task bar, permissions changing and other.. even disdained the red-underlined items in her list of objects found in folders: Those With Refs to Web Descriptions of their origins in malware. (And yes - she already had AVG (replacing Norton earlier, at my suggestion via IWE lore), Spy-Bot SD, Ad-A - in fact it was the resident SpyBot ap she also activated - which first flagged TILT. Linksys router + ZA in operation; so this bug came from her own clicky-clicky, as she realizes.) She is determined to find the pedigree of George, her ID of the keeper of root - or by whatever sinister facsimile. Is learning about some of the tools mentioned in these parts, the logic of step-by-step -- for the bugs that reinstall seconds after erasure. Appreciates why some of these need HD access via some Non-toy OS for cleansing ie. why you cannot let Doze run at all, under some conditions of auto-destruct-in-progress. (That's a lot to grok, for a non-tech, I'd say.) I think she will pay $$ for some of the better tools; and not just the automated kind. Perhaps one of our sleuths can list a few handy items beyond HiJack This - presuming she'd need to follow a recipe and not intuit the order of applying such diagnostics. She recalls a bit of DOS lore, but without say, XTree running, I doubt she could use attribs (a rilly powerful util for finding stuff IIRC, apart from doing what its name says. Recall several .bats that made very clever use of its sys access.) Hmmm - good review for my little grey cells too. I don't know if there are ten or a thousand vaguely-similar utils now for the daily bug-hunt; mayhap Google can enlighten moi. I lack the patience to sample everything that sez I Da Best\ufffd. Then too, since it would be like the Maytag Repairman, looking for OSX bugs re her G-4 - she just may end up keeping the late hP notebook, become the Kenwood Bug-Lady and retire on profits to the Bahamas.. join the rest of the Gross National Product buried thereabouts. (This game may prove more rewarding for her than the faux-poker stuff! which lay behind the interest in faux-PC on the Mac.) Well, I guess gamers would understand such mind melds.. So then - just thought y'all would like to hear of an Exception to the kind of brain-dead responses as drive HelpDesk folks into underground assassin cults with sharp eviscerating knives. Further adventures may be reported - incl. how the judge takes to her winning personality, pictures + 2# of annotated data + clear synopsis <-VS-> Geek Squad weenies. Unless Best Buy Elsewhere recognizes the Problem and gives back. But hey, they're a corporation; surely the MBA will say No. Love. It. moi Kenwood.. Soon to be: Billyware Decontamination Capital of Sonoma County LLC BFD YPB Tomorrow, Die Welt
Post #243,795 by Another Scott 2/7/06 8:43:15 PM Reply	It's a shame she has to go through all that. It's great that she's taking the problem as an opportunity to learn more about her system though. (And yes - she already had AVG (replacing Norton earlier, at my suggestion via IWE lore), Spy-Bot SD, Ad-A - in fact it was the resident SpyBot ap she also activated - which first flagged TILT. Linksys router + ZA in operation; so this bug came from her own clicky-clicky, as she realizes.) She is determined to find the pedigree of George, her ID of the keeper of root - or by whatever sinister facsimile. Is learning about some of the tools mentioned in these parts, the logic of step-by-step -- for the bugs that reinstall seconds after erasure. Appreciates why some of these need HD access via some Non-toy OS for cleansing ie. why you cannot let Doze run at all, under some conditions of auto-destruct-in-progress. (That's a lot to grok, for a non-tech, I'd say.) I'm sure Andrew could recount his latest [link\|http://z.iwethey.org/forums/render/content/show?contentid=195325\|horror stories] - they're always interesting. Most likely her infection is something reasonably common but something that may play with the registry - making it non-trivial to remove. My guess is she needs to try disinfecting the machine by booting from a [link\|http://www.oreillynet.com/sysadmin/blog/2004/06/scanning_for_viruses_with_knop.html\|live CD of some sort] - e.g., [link\|http://www.inside-security.de/insert_en.html\|INSERT] and [link\|http://www.heise.de/newsticker/meldung/65553\|Knoppicilin] (auf Deutsch). If AVG can't get rid of it, maybe try [link\|http://www.f-prot.com/products/corporate_users/win/\|F-Prot] (scroll down for the trial version), and maybe [link\|http://www.pctools.com/spyware-doctor/\|Spyware Doctor] from a place close to Static's heart. I've been lucky in that I've not had to go through a deep disinfection, so I can't tell you how well any of those tools work. HTH a bit. Best of luck to her! Cheers, Scott.
Post #243,796 by boxley 2/7/06 8:53:42 PM Reply	first off in bug hunting is tcpdump sniff the packets to see who is communicating with her box or who her box is trying to call. Then off to the whois databases to see who claims ownership of the the IP being used. Then emails followed by phonecalls to the ISP abuse department. Also see if anyone in the local gendarmes are interested in this stuff. Then tootle around the process stack in taskmanager, googling each iffy one to see if it is malware. at the command prompt telnet localhost 25 to see if you are a part of a botnet running an smtp server. netstat -an tells you what ports have a listener then google tcp listener port portnumber this will reference any known badguys. tcpdump can be downloaded from the net. Telnet and netstat are built in cmd commands. Dunno if there is a copy of saint on the net for windows, maybe download that to the mac and aim it at the dosbox to see what gapers are there. thanx, bill Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
Post #243,805 by Ashton 2/7/06 10:10:39 PM Reply	Thanks! both.. Thats assuredly a decent intro, through which she can see where the holes are, in her fledgling map of how all this shit hangs somewhat together. And Box - that was a marvel! of compact, legible anti-skullduggery - complete with hints on where to aim one's crossbow. Shall pass on both virgo intacta; let her follow up on the tough words. (I advised her not to take my utterly _{_ excremental _} view of Billy and the Beast-boys as unbiased - but read around and see if I exaggerate the precarious position of any Doze user, right now. She also read some of the boosters (the dalerosses of the world). Early conclusion (as she absorbs the Magnitude and duration of this worldwide scam / festering sore upon the anal sphincter of humanity): She now wants the little twerp's gizzard - sauteed in Bally sauce. 'Course it's easy to despise the whiny little inventor of 'rented software forever'. So then, in fact she's not interested in "learning enough to make it safe to run Doze" (anymore than she wants a ticket on that airplane full of the Rapturin-out loonies.) But she just may enjoy the spy-game as much as most folks dig PBS Mystery series. So it remains to be seen if she'll invest the boring groundwork needed to become actually proficient -- I'd hope that she might find it a lot more fun than 'poker' or even Poker, but .?. Gracias, moi

Welcome to IWETHEY!