Never put blind faith in a blogger.

Back to Technomancy

Date/Time Permalink: 09/15/07 07:19:36 pm
Category: Site News

Gah! I'm exhausted!

In between getting some work done on deadline, I have had a very good friend do a very good thing for me. He simultaneously moved and decided to get rid of a bunch of computer stuff. (A small truckload?) And I'm your friendly neighborhood cyberjunk depository, so it got brought to Igor's laboratory.

To a technomancer like myself... you know, a technomancer? If a necromancer re-animates dead people to do his bidding, then a technomancer does the same for "dead" technology... usually by installing Linux on it, since Linux is the after-life of hardware. Anyway, to a technomancer like myself, a small truckload full of computer stuff is an early birthday present. It took me two days to sort through it all.

Found so far: One Iomega zip drive and a stack of zip disks (trash!), a FAX machine, not one but two drawing tablets (both missing the stylus!) and one of them Wacom (a new stylus is a mere $40 as I understand it), printers, scanners, miles of cable, routers, junk, junk, junk that I don't know what it is, more junk...

And a PC with Windows XP on the drive. And guess what? For research purposes, I'm actually keeping Windows on it for the time being. The previous owner tells the exact same story I hear from every Windows user, that the machine got more and more clogged with viruses of every kind and got slower and slower until all the hard drive space got eaten up, so he's junking it.

NOTE: I am NOT putting the box online! That's what God gave us USB drives for.

Well, sick puppy that I am, I'm having a field day with it. Yes, 10 glorious Gigabytes of viruses, worms, backdoors, rootkits, malware, spyware, adware, bots, and probably a spare nether-demon from the foul abyss in there. What? Reformat and reinstall? Are you mad? No, you do this:

Run grml live CD. Mount the hard drive with "mount /dev/hda1?", "cd /mnt/hda1?" and "ls". Why, lookie at all the grossness! This file looks suspicious; Google, Google, yep it's a virus, delete, and what about this one? Ohhhh, this looks like part of this malware! And what's in the C:\Windows directory? beats me: It was so crammed that it literally hung "ls" for an hour! So I piped the output of "ls" to a file, catted it, and found miles of files like this:

-rwxrwxrwx 1 grml grml 0 2005-10-01 14:58 addih32.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-01 16:25 njaly.log*
-rwxrwxrwx 1 grml grml 0 2005-10-01 16:26 ktbol.dat*
-rwxrwxrwx 1 grml grml 0 2005-10-01 16:48 iena32.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-01 18:05 qlwap.txt*
-rwxrwxrwx 1 grml grml 0 2005-10-01 20:24 qtwnm.log*
-rwxrwxrwx 1 grml grml 0 2005-10-02 00:53 skzin.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-02 01:37 fmszk.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-02 03:28 javais.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-02 08:30 wintg.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-02 09:02 aafsd.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-02 10:35 addmd.dll*
-rwxrwxrwx 1 grml grml 0 2005-10-02 10:48 winxu.dll*

...on and on and on. All zero bytes. And even more that were like this:

-rwxrwxrwx 1 grml grml 67K 2005-07-06 10:01 pjtmcr.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 10:01 rrexex.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 10:22 ipohgg.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 10:51 gidijw.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 11:13 flfkop.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 11:34 jdbgdd.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 11:34 zfghuo.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 12:03 onqfis.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 12:24 cxcuic.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 12:24 zgirgu.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 12:46 ibqdij.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 12:46 rlsnph.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 13:07 kltjpv.dat*
-rwxrwxrwx 1 grml grml 67K 2005-07-06 13:36 ocaqvr.dat*

but some chunks would have 66K, some 35K, and so on. A quick command line involving some fancy grep and awk footwork and I'd deleted them all, with this list of files I'd deleted as a record. I rebooted into XP and it came up much happier, and with 66% fewer pop-ups! The text file containing the list of file names I'd deleted is itself 2.4MB!

NOTE: Anybody out there know what this particular thing is?

Oh, this is just the beginning! There's lots more to explore... I haven't opened the system32 directory yet, that's gonna be a treat. But what, run a virus-scanner? Scoff! That's the first thing I delete; in my arrogant opinion anti-virus makers are half of the problem.

See, it's all research. And articles on how to scrub viruses out of Windows and co-operate Windows and Linux are $money, $money, $money! I haven't dual-booted Winduhs since the old Red Hat days, so I think I'll keep it hanging around for a while as a pet. Perhaps to someday dual-boot it with... hmmmm, maybe FreeBSD this time. That'll teach it some manners!

Oh, and a bonus buck: A gnarly old vintage two-button mouse shaped and decorated like an 8-ball, sadly with the DE-9 connector.

picture of the 8-ball mouse

UPDATE Pi Day, 2008: It turns out that the primary purpose I've ended up keeping this box with XP around is to deal with paranoid clients. You wouldn't believe the anxiety some people have when you tell them you're designing their blog banner on Linux. First I have to send them a screenshot to show them, yes, Linux can design graphics, too, without Photoslop. Then after it's finished, I have to send them a screenshot from the Winduhs box to show them, yes, you can display a banner drawn on Linux in Internet Explorer and the world will not end.

It's not their fault, but it is paranoia. Thank you, Redmond, for giving us a whole generation of brainwashed people to rehabilitate one at a time!

Follow me on Twitter for an update every time this blog gets a post.
Stumble it Reddit this share on Facebook

suddenly the moon