Re: tvm.exe / poll each.exe / blehdefyreal toolbar

[petard <petard () freeshell org>]

On Thu, Jun 10, 2004 at 12:38:05AM +1200, Nick FitzGerald wrote:
> petard <petard () freeshell org> wrote:
>
> > It sounds like CWS.
> > http://www.wired.com/news/infostructure/0,1377,63391,00.html
>
> Because, as we all know, CWS is the _only_ adware (virus, or other 
> malware) that installs "guardians" and uses multiple tricks in its 
> attempts to baffle far from intelligent removal efforts, right?
No. Because based on the scant information in the original post (name of
exe, URL, toolbar name, homepage hijack) and the frequency with which
CWS is seen, some CWS variant seems like the most probable culprit. Did
you interpret "sounds like CWS" as any more definite diagnosis than
that?

> That is purely a sign of your inadequacy to the job at hand -- curely 
> not a qualification for you to provide "advice" to others (well, other 
> than of that ofrm "get someone more competent than 'petard' to help").
heh. That was exactly my advice to the client in question, but they
asked me to proceed as a favor anyway. But no, it's not purely a sign of
"inadequacy to the job at hand". In fact, I'd claim that the only sign
of inadequacy to the job at hand was that I even entertained the idea of
doing something other than wipe and reinstall when I saw a machine
behaving as OP describes. Let's examine this a little:

1. OP has effectively been "rooted". He doesn't know exactly how.

2. He (as I didn't) clearly doesn't have a picture of exactly what has
been installed after that PC was compromised. He most likely doesn't
know exactly what was installed before the PC was compromised, so it is
nigh-on impossible to determine what's been changed.

If OP had some other method of getting the PC back to a known state, he
likely wouldn't have been asking the question here. The "wipe and
reinstall" is the only *known safe* course of action when you've got a
machine running unknown binaries.

> Suggesting that the likely best approach to "fixing" a system of which 
> you have _no freaking idea whatsoever_ is ailing it is to reformat and 
> reinstall (_or_ anything lelse) is clearly a sign of incompetence, and 
> little else.
Bullshit. It's the only safe advice, unless you know exactly how the
machine was compromised and what was installed. No one on the list will
be able to tell that given the level of detail in the original post.
Any other course of action in the absence of this knowledge leaves some
possibility of a backdoor.

My *opinion* is that, for the average set of PC software, it will take
someone who doesn't know exactly what's been installed less time to
rebuild a box than to find out what is needed in order to become 100% 
certain no backdoor is left.

> Presenting such inadequate "advice" with little suggestion of the 
> possibility of doubt makes it even less helpful.
The "advice" you seem to dislike so much guarantees a clean PC. Like I
said, given the level of knowledge exhibited in the original post, I'd
opine that it is the fastest path to a clean PC. So what's your problem,
exactly?

> Next time you want to help, try S'ing TFU and letting folk who know 
> what they are doing have a go, eh?
Have a go, "Nick"... you claim to know what you're doing. What's your
faster path to a clean PC?

Out of curiosity, why the venom? Did I say something to you that wasn't
perfectly civil? 

regards,
petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html