July 25, 2007

The Romeo Error

Last week I reread The Romeo Error by Lyall Watson (Anchor Press/Doubleday, 1974). Watson is a South African doctor of biology who was educated in England. He is best known for his 1973 bestseller Supernature. In the introduction Watson says, "If Supernature was my 'life book,' then this is its companion volume on death." (p. viii) As a biologist Watson was embarrassed by the fact that biologists do not know when life begins or ends. "I believe that a student of life should know where it starts and have some idea of how it ends. Hence this book. It starts from first principles and develops along the lines of a debate, as much for the sake of my own sanity as for anyone else's edification." (p. viii) The nine chapters include: Life, Death, Dying, Personality, Enlightenment, Dissociation, Survival, Possession, and Miracles.

Here's a list of some of the many fascinating topics.

The inability of scientists to distinguish life from death.

The suggestion that death is a continuum rather than an event.

The concept that death should be treated as a disease, which is sometimes curable.

The unreliability of death tests that involve the heart, breath, temperature, pupil, brain waves, rigor mortis, and even putrefaction.

The fact that death is redefined whenever technological advances show that people who would have formerly been called dead, can now be called alive.

Evidence indicating the existence of a death cry at the cellular level, which can be received by other organisms at a distance.

Experiments that indicate a plant witnessing the murder of another plant can later identify the murderer by means of electrical responses.

The stages of dying.

Accounts of death by means of magic.

Studies showing that individuals are linked telepathically and that someone who is being thought about reacts with measurable physiological changes.

The suggestion that such phenomena as fainting, cataplexy, catalepsy, and seizures are biological survival mechanisms.

The idea that ceremonies for the dead are designed to keep the dead from bothering the living.

The possibility of the personality surviving physical death.

Clairvoyance.

Astral projection.

Embryonic cell behavior and how such cells can alter their purpose.

Psychokinesis.

Hauntings.

The suggestion that we are all psychic but psychic inputs are subtle and filtered out by our brains.

Possession.

Reincarnation.

Satya Sai Baba's miracles.

The psychic medical diagnoses of Jose de Freitas (Arigo).

Psychic healing and psychic surgery.


The Romeo Error is well-written and well-researched. More than three hundred bibliographic entries are cited throughout the text. There is also a good index enabling the reader to find those topics he finds the most interesting. Even now, over thirty years later, the book is filled with thought-provoking concepts, profound insights, and wonderful mysteries.

July 8, 2007

Rootkits & Trojans

On June 26 my brother asked me to fix a problem on his computer. My brother's Windows XP Home had been crashing unexpectedly with a blue error screen (BSOD). His antivirus program was BitDefender 9.5 Standard.

The computer crashed soon after I analyzed the Startup items in msconfig. The file that caused the problem was Icbw49.sys. The error message was "Page_Fault_in_nonpaged_area". A Google search for the file name returned zero hits. If the file was a legitimate system file as indicated by it's "sys" name extension, there should have been many hits. Usually a Google search on a problem will find posts by people who have had the same problem. Often solutions can be found. I was disturbed that the file name was not in Google's index.

I went to Control Panel, Folder Options, View, and made changes to display the contents of system folders, show hidden files and folders, show extensions for known file types, and show protected operating system files. Then I searched C: (the only hard drive) for the file Icbw49.sys. The file was not found. Distrusting the XP search facility I manually searched several Windows folders where I thought the file might be. I found no file by that name. Wow. I speculated that the file was being assembled in memory by some form of malware.

I ran a BitDefender scan of C:. BitDefender found and quarantined the following four infections.

Rootkit.Agent.EG
Rootkit.Agent.GH
Trojan.Zapchast.CA
Generic.Malware.Bdld!!.C3B48A52

I had never encountered a rootkit before, although I had read about them. I know it's better to restore a hard disk from an image backup than it is to try to remove all the pieces of a rootkit, but there was no backup. I had no desire to reformat the drive, reinstall Windows, and reinstall every program. I hoped that the rootkit wasn't written very well; a position supported by two facts -- it caused page faults and BitDefender found pieces of it. I think the most competently written rootkits would neither crash the system nor be found by antivirus products.

I decided the best thing to do would be to reload a restore point from before the infection and hope that whatever BitDefender had not quarantined would be eliminated by the restore. I had last performed maintenance tasks on the computer during my visit of May 9-15. We decided to restore the system back to May 17. The restore process completed with a message that said something like "Cannot restore system to May 17, 2007. No files were changed."

We knew the crashes had begun on June 11. So we tried to restore the system to any restore point created after May 17. Every attempt to restore to any date from May 17 through June 11 failed with the same message. Restoring to the June 12 restore point succeeded, but that was the first restore point after the system had been infected. At that point I knew we were dealing with something truly clever and devious. The malware (rootkit/virus/Trojan/key-logger/worm) was preventing restoration of the system to any pre-infection date. Wow.

I began to think the malware had won. I feared having to take drastic and time-consuming action. I thought of one last thing to try... a long shot. I rebooted the computer into Safe Mode, which limits the number of dlls, drivers, and other system files that are loaded. I tried to recover the system to the May 17 restore point, and it worked! The malware couldn't stop the recovery being run in Safe Mode. Whew!

Then I ran a complete scan using Spybot Search & Destroy. Of course the scan found many insignificant items like tracking cookies, but it also found the following five threats.

Backdoor.Win32.SdBot.gen
CurePCSolution
SurfSideKick
TagASaurus
Win32.Small.ddx

Spybot successfully removed each of the threats.

My brother and his wife know not to run executables attached to emails, so I guessed that the many infections were due to drive-by downloads while surfing with Internet Explorer. They had been using both Internet Explorer and Mozilla. I installed Firefox and suggested they use Mozilla or Firefox to avoid future infections.

The BitDefender 9.5 subscription was expiring and I didn't want to install BitDefender 10, so I installed AVG Free 7.5. A complete scan with AVG showed no threats. I then installed and ran AVG Anti-Rootkit, which also found no threats. Nothing significant was found by an Adaware scan either. Finally, I created a new restore point.

Hopefully the system is clean now and any undiscovered rootkit pieces will not be able to do anything bad. Also hopefully no personal data was transmitted to a hacker.