You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
DeathBlossom.exe
The whole story is fabricated, and it was put there by your work colleague in order to test you
The whole story is fabricated, and it was put there by [s]your work colleague[/s] cougar in order to test [s]you[/s] us
Hah! Nice idea but no, it's a genuine story.
See my post at the top of this page (3). What's the burning question here?
burning a few weeks back - like a guy fawkes thing? Fireworks screensaver?
Got an advent calendar chocolate stuck in C:\Windows\System32?
Santa radar tracker app gone rogue?
Something to do with mince pies?
misguided attempt to evade sales tracking cookies on black Friday?
Has someone swapped/nicked the original laptop for a faulty one?
Well I'd be asking the user exactly what they used the machine for a couple of weeks back when this problem happened. Have we checked the browser history?
Someone clicked on one of those stupid 'speed up your pc' links while researching another problem?
Well I'd be asking the user exactly what they used the machine for a couple of weeks back when this problem happened. Have we checked the browser history?
I don't believe it's anything the user has done on the laptop. Chrome was ****ed, but I think that was an unrelated issue.
No-one else has used it in months.
...as far as the user is aware. That doesn't make it true though.
My money's still on prankage by a technically proficient third party who has gained illicit access to the machine without the users knowledge.
...as far as the user is aware. That doesn't make it true though.
I believe her in this case.
My money's still on prankage by a technically proficient third party who has gained illicit access to the machine without the users knowledge.
It would seem so, wouldn't it.
Do you have an answer to this part, or are you also guessing still?
I don't know with absolute certainty I suppose, but I'm pretty sure what's happened, yes.
I don't know with absolute certainty I suppose, but I'm pretty sure what's happened, yes
Is that because you are a wise old owl?
(-:
Cougar - Moderator
What do we do with it?
System restore!
Good point. I tried that. No difference.
format c:
install linux
the symptoms will definitely go away 😉 (along with many others)
or ditch it and get a mac
hmm, just read the rest of the thread.
guess you could maybe try installing latencymon, see if there's any actual processes/drivers are going mental? then kill it/them? will at least tell you the most active processes/drivers to start having a look at.
andytherocketeer - Member
format c:
install linuxthe symptoms will definitely go away (along with many others)
until you need to do something useful! 😆
Is there an entry in the "programs & features" list where the "Installed On" date & time correlates with the creation/modification date & time of the task and/or .vbs file? If so, what is it?
^-and that includes "updates" too.
Do we have anything more specific than a couple of weeks? I'm assuming that is significant - though not getting it (Thanksgiving, Black Friday, start of Advent?)
I presume the vyi name isn't significant, but the ch.vbs and ch.bat might be given you don't exactly remember one, but do remember the others...
Anything to do with children who have just broken up from school/uni?
Do we have anything more specific than a couple of weeks? I'm assuming that is significant - though not getting it (Thanksgiving, Black Friday, start of Advent?)I presume the vyi name isn't significant, but the ch.vbs and ch.bat might be given you don't exactly remember one, but do remember the others...
Not to my knowledge. I should've written them down really, then I could've asked her.
The file names / task name aren't relevant to anything I'm aware of.
Is there an entry in the "programs & features" list where the "Installed On" date & time correlates with the creation/modification date & time of the task and/or .vbs file? If so, what is it?
We're almost there. "When" is the question I was looking for.
There's no creation date on the Task (logging is disabled, which IIRC is default behaviour), just "last run" which tells us nothing.
The dates on the two scripts is October 2015.
End of October?
IIRC MS changed the method of patching Win 7 in October.
MS patch issue?
End of October?
I see where you're going with that, but no, 12th I think.
Glorious - edit: nope that's August
Glorious
Nope, it wasn't Eddie Izzard either.
I have the feeling this is a massively drawn out joke, leading to a puntastic punchline
Would I do that to you? (-:
It's not, honest.
do we know when (exactly) the issue was first noticed?
Not exactly. "A couple of weeks" is all I was told. (I asked for System Restore purposes, it was a sufficiently accurate estimate for me to be able to pick an older restore point.)
10/12 <> 12/10?
Oh, nice thinking. But no, it's a UK date format.
Can we have a summary?
Can't remember what we know and what we're trying to figure out any more!
The scripts dated October [i]2015 [/i]but there seems to be a suggestion that the month of October is significant, but not the year.
Either that or the ending of the "one child policy" in China has something to do with it.
Is it an elaborate ruse to prevent the user seeing any internet spoilers for Rogue One?
there seems to be a suggestion that the month of October is significant, but not the year.
Does there?
Did you say system restore was not successful? That suggests the script's been in place for some time (since Oct 2015), but has been triggered by a date change - the restore point you used contained the script, which is still triggered by the date condition.
Are we correct to assume a third party placed this?
When's the user's birthday?
Were there any earlier restore points to track down exactly when the scripts and task were added? If so, and based on the available information, when were they added?
I'm not sure I'm getting anywhere here, but more information is always better (eventually the penicillin spores might land in my culture).
Did the task have a start date or was it execute immediately?
I might be upset if this ends in confusion between Halloween and Christmas.
Did you say system restore was not successful? That suggests the script's been in place for some time (since Oct 2015), but has been triggered by a date change - the restore point you used contained the script, which is still triggered by the date condition.
To be clear, the restore was "successful" in that it completed, er, successfully; it just didn't solve the problem.
Are we correct to assume a third party placed this?
I believe so.
When's the user's birthday?
Dunno.
Did the task have a start date or was it execute immediately?
I didn't see a start date, just "last run."
Something to do with Christmas countdown?
With Jimmy Carr?
Is there any evidence the 3rd party created this interactively or are there any pointers that it was done programmatically (i.e. via an install) - for example any evidence in the user & windows temp folders?
Something to do with Christmas countdown?
It's certainly a conundrum.
[quote=Cougar ]
Are we correct to assume a third party placed this?
I believe so.
OK, so we come back to the contradiction in this post:
[quote=Cougar ]
...as far as the user is aware. That doesn't make it true though.
I believe her in this case.
My money's still on prankage by a technically proficient third party who has gained illicit access to the machine without the users knowledge.
It would seem so, wouldn't it.
So you believe that nobody else has used the computer, yet a third party has placed this?
...and you previously dismissed my looking at browsing history to find possible infection vector.
Is it just a scheduled task made via clicking buttons, or is it an actual script someone has written? (If the latter can you post the contents?)
Is there any evidence the 3rd party created this interactively or are there any pointers that it was done programmatically (i.e. via an install) - for example any evidence in the user & windows temp folders?
Not really.
So you believe that nobody else has used the computer, yet a third party has placed this?
That's not quite what I said. I said no-one else has used it for months.
...and you previously dismissed my looking at browsing history to find possible infection vector.
I didn't dismiss it, I just didn't do it.
I'll post up the conclusion now I think, because you've all but got it.
[quote=Cougar ]That's not quite what I said. I said no-one else has used it for months.
Aaargh - I didn't get the distinction when we started discussing the date of the scripts. So somebody put on a timebomb - and have you established who did use the computer months ago?
(I think to be fair, you've made it a bit harder for us than it was for you 😉 )
User was sleep-coding?
So somebody put on a timebomb
Exactly. (-:
So. I got this on the bench and did pretty much what everyone else has suggested. There's a few minor things we've missed though.
The "Webroot" AV was presumably bundled trial software that came with the machine. The subscription had lapsed so it wasn't actually doing anything! Seems she's a serial torrenter too, so at first I was pretty sure it was some sort of infection. Oh, and the fact it hadn't been updated in forever, not even SP1, added weight to this. Trying to install SP1 failed which could be suspicious, though that's far from unusual even in normal circumstances.
I did all the usual suspects, ckdsk / SFC / MBAM scans, all clean. I tore out Webroot and installed MSE. This came back clean also. Checked for startup items in folders / registry and ruled out third party apps with a msconfig selective startup.
When everything came back clean and with it working in Safe Mode but symptomatic in normal mode, I was about to start looking for rootkits when it suddenly hit me that it was doing it [i]regularly.[/i] Looked in Scheduled Tasks and from there it all unravelled.
The behaviour of this "infection" is no malware I've ever come across and Google didn't come up with anything, which makes me think it was a deliberate hack. But no-one else had used the PC in months and there was no sign of any sort of exploit.
Wait a minute... "no-one else has used it in months" implies that months ago, someone else [i]was[/i] using it. I asked the question, it and transpires that her then-boyfriend also used to use it. Very messy split apparently, back end of last year.
The two scripts were created in October 2015. The problem didn't start happening until recently. Logically then, her boyfriend must have created the scripts to crash her PC, but set up a scheduled task to [i]start running the script in a year's time,[/i] presumably to absolve himself of suspicion / blame.
If he'd not been greedy and set it to crash every hour rather than every five minutes I probably wouldn't have spotted it. I'd have ended up formatting it in the end, unless I'd noticed the scripts in the root of C:\ which was a bit of a schoolboy error (him and me, for different reasons). I was lining up a W10 upgrade as a last resort before blatting it - which wouldn't have fixed it and would have properly broken my head.
Well done everyone.
Do I win five pounds?
Thanks Cougar! Can the next one be a bit more Christmasy?
Do I win five pounds?
Yes! You just need to pay a £10 release fee to get the money. Paypal Gift please.
Thanks Cougar! Can the next one be a bit more Christmasy?
Mince pie in the air vent?
You're welcome. I thought it was an interesting and unusual "fault," which is why I shared it.
Yes! You just need to pay a £10 release fee to get the money. Paypal Gift please.
No need.
* remotely runs payperchyafiver.exe
Did you find out why? Is b/f still on the scene?
Gaslighting with a pre-installed scrips after all (perchyowesmetreefiddy.bat)?
Dunno TBH. Not really my place to ask. As aracer said, I reckon it was a timebomb. Set it up but defer the task for a year, when it fires she'll end up taking it to a shop who won't look twice at it before factory restoring it. Who would know?
Plus I suppose, if they were to have got back together in the interim 12 months, it'll be brownie points for him to fix it for her.
<note to self, make timebombs a bit more sneaky in case gf takes computer to Cougar>
TBH it wouldn't exactly be difficult to do such a thing in a way you'd never have found it - but then the use of the vbs and a bat suggests a relative amateur.
TBH it wouldn't exactly be difficult to do such a thing in a way you'd never have found it - but then the use of the vbs and a bat suggests a relative amateur.
Yeah, that puzzled me a bit. It was simultaneously really clever and really stupid. He clearly knows quite a bit about computers, but not quite enough to do it properly.
I'd probably have used AT instead of the GUI for a start. It's a separate task list from Task Scheduler, so it wouldn't have been visible other than from the command line.