From: David H. Lipman on 5 Apr 2010 21:58 From: "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> | Dustin Cook wrote: >> Did you check the pcbutts and rot13 search query yet? | Wasn't it rot1 ? Public Marker #1 --------------------- :S949n IF EXIST "%UserProfile%\application data\seilhturtlaereht.inf" seilhturtlaereht.inf ==> Drop the .INF seilhturtlaereht ==> theealtruthlies Public Marker #2 --------------------- IF EXIST "%UserProfile%\local settings\temp\obatssrsghde.exe" echo "%UserProfile%\local settings\temp\obatssrsghde.exe" IF EXIST "%UserProfile%\local settings\temp\obatssrsghde.exe" echo "%UserProfile%\local settings\temp\obatssrsghde.exe">>remove-it.txt The file; "%UserProfile%\local settings\temp\obatssrsghde.exe" is a fabrication. It does not exist. It, obatssrsghde.exe, is actually a file name in code. obatssrsghde.exe ==> drop .EXE obatssrsghde increase character by 1 ==> pcbuttsthief ( ROT1 Right ) -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Dustin Cook on 5 Apr 2010 22:07 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in news:hpe4g802lq7(a)news3.newsguy.com: > From: "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> > >| Dustin Cook wrote: > >>> Did you check the pcbutts and rot13 search query yet? > >| Wasn't it rot1 ? > > > > > > Public Marker #1 > --------------------- > >:S949n > IF EXIST "%UserProfile%\application data\seilhturtlaereht.inf" > > seilhturtlaereht.inf ==> Drop the .INF > > seilhturtlaereht ==> theealtruthlies > > > > > Public Marker #2 > --------------------- > > > > IF EXIST "%UserProfile%\local settings\temp\obatssrsghde.exe" echo > "%UserProfile%\local settings\temp\obatssrsghde.exe" > IF EXIST "%UserProfile%\local settings\temp\obatssrsghde.exe" echo > "%UserProfile%\local settings\temp\obatssrsghde.exe">>remove-it.txt > > > The file; "%UserProfile%\local settings\temp\obatssrsghde.exe" is a > fabrication. It does not exist. > > It, obatssrsghde.exe, is actually a file name in code. > > obatssrsghde.exe ==> drop .EXE > > obatssrsghde > > increase character by 1 ==> pcbuttsthief > > ( ROT1 Right ) > > Woops. Sorry. Rot1 it was. -- "Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge this boulder right down a cliff." - Goblin Warrior
From: Dustin Cook on 5 Apr 2010 22:07 "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote in news:hpe3k7$95a$1(a)news.eternal-september.org: > Dustin Cook wrote: > >> Did you check the pcbutts and rot13 search query yet? > > Wasn't it rot1 ? > Yep, my bad. -- "Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge this boulder right down a cliff." - Goblin Warrior
From: Dustin Cook on 5 Apr 2010 22:09 ASCII <me2(a)privacy.net> wrote in news:4bc28dc3.3954578(a)EDCBIC: > Dustin Cook wrote: >>Your >>methods of investigation wouldn't be tolerated in any military setting I >>know of... so I don't understand why you think they would be here? > > You suggesting he waterboard you guys (Butts included) > to get to the truth? Hmm.. No, I wasn't suggesting that. His methodology of not accepting the fact he just doesn't have access to some material is just.. mind boggling to me. -- "Hrrngh! Someday I'm going to hurl this...er...roll this...hrrngh.. nudge this boulder right down a cliff." - Goblin Warrior
From: David H. Lipman on 5 Apr 2010 22:24
From: "Dustin Cook" <bughunter.dustin(a)gmail.com> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in | news:hpe4g802lq7(a)news3.newsguy.com: >> From: "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> >>| Dustin Cook wrote: >>>> Did you check the pcbutts and rot13 search query yet? >>| Wasn't it rot1 ? >> Public Marker #1 >> --------------------- >>:S949n >> IF EXIST "%UserProfile%\application data\seilhturtlaereht.inf" >> seilhturtlaereht.inf ==> Drop the .INF >> seilhturtlaereht ==> theealtruthlies >> Public Marker #2 >> --------------------- >> IF EXIST "%UserProfile%\local settings\temp\obatssrsghde.exe" echo >> "%UserProfile%\local settings\temp\obatssrsghde.exe" >> IF EXIST "%UserProfile%\local settings\temp\obatssrsghde.exe" echo >> "%UserProfile%\local settings\temp\obatssrsghde.exe">>remove-it.txt >> The file; "%UserProfile%\local settings\temp\obatssrsghde.exe" is a >> fabrication. It does not exist. >> It, obatssrsghde.exe, is actually a file name in code. >> obatssrsghde.exe ==> drop .EXE >> obatssrsghde >> increase character by 1 ==> pcbuttsthief >> ( ROT1 Right ) | Woops. Sorry. Rot1 it was. The important factor, and for the record... Stuart placed the above and OTHER makers in the RogueFix utility. Within a short perioid of time AFTER the RogueFix batch file was posted, Butts had a new version of Remove-It out and those markers were CLEARLY found in whatever package he subsequently posted. The markers were created in such a way that there should be NO hesitation in recognizing the plagiarism. The chance of the strings naturaly occuring, encoded as they were, is astronomically large. Yet, obviously so simple once you knew the key. As always, "trusted" people knew in advance what the resultant string was, the key used and the maker in general was going to be. The public taunting of Butts and obatssrsghde.exe was then final clincher for many. What was REALLY "interesting" was Butts trying to weasel his way out. He said he sent obatssrsghde.exe with a MD5 = 3eb436f91454923f2d7f1d8dda41f681 to Virus Total and gave us a Virus Total report. That made me laugh as I have access to an administrator of Virus Total and i told him it was about catching Butts in a lie. Since he knew the whole story he was happy to assist and he provided me the following information... "MD5 = 3eb436f91454923f2d7f1d8dda41f681 it arrived twice, sent by the same person: file name: obatssrsghde.exe date.....: 2009/07/21 03:40 source...: US, Anonymous, id 1340019 file name: roxio_downloaded_from_Demonoid.co date.....: 2009/07/21 03:34 source...: US, Anonymous, id 1340019" Thus Butts found something to the effect of "roxio_downloaded_from_Demonoid.co" and submitted it to Virus Total. He then reanmed it to "obatssrsghde.exe" and re-submitted it to Virus Total as "obatssrsghde.exe" and that was the report he provided. Too f'n phunny ! Butts gets caught in lies, and gets called out on them. He covers them with more lies, etc, infinitum. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |