Me and I

Your teacher always told you to say “so and so and I” instead of “me and so and so”. This is correct (most of the time), but did they explain why? It is often a point of confusion for most people because while teachers usually remember to teach that, they often do not explain the reason for it, which leaves people not understanding, which in turn can lead to problems such as using it incorrectly or not at all.

Many people think (and some are even taught!) that it is just more polite to put the other person first but that is NOT the reason. There is a legitimate grammatical reason.

In a proper English sentence, the first-person singular pronoun I is used where speaker is the subject of the sentence. That is, when the person is the one doing something. When the person is the object in the sentence, me is used instead. This is when the person is having something done to them. Examples of the former include I went there and I didn’t know what it was. Examples of the latter include He gave it to me, They helped me, and It happened to me too.

That’s great, but there is a much easier and faster way to determine whether a given sentence is grammatically correct. Since “blah and I” or “me and blah” are conjunctions (they combine two objects), you can break it down to its constituent parts to see if it still works. This is a simple method to show the proper usage. When do you use “…and I” and when do you use “…and me / me and…”? It’s simple; just separate the compound sentence by rewriting it with each subject, or object as the case may be, then test the sentences with each individually.

For example: “Bob and I saw the movie” becomes “Bob saw the movie” and “I saw the movie”. Both of those work fine, and so the sentence is fine as is.

What about “Me and Bob saw the movie” (or “Bob and me saw the movie”)? They become “Bob saw the movie” and “Me saw the movie”. Clearly, “Me saw the movie” is incorrect and so should be changed to “Bob and I”.

That is the reason you say “Bob and I”. Technically, you could also say “I and Bob” in a sentence like this, but most people would agree that it sounds and feels pretty awkward: “I and Bob saw the movie”

However, you do not always use “…and I”. For example, “You saw Bob and I” is incorrect because breaking it down becomes “You saw Bob” which is fine and “You saw I” which is wrong. The correct sentence would be “You saw Bob and me” or “You saw me and Bob”. This breaks down to “You saw Bob” and “You saw me” which is correct. At this point, the order of the subjects is up to the writer. Both “You saw Bob and me” and “You saw me and Bob” are valid, and there are no official rules to their order.

One hiccup comes in the form of the possessive personal pronoun, namely “my” or “mine”. This does not really work in the same way, though it is somewhat easy to figure out by simply trying the different forms. It would be “His any my cars were parked” as opposed to “His and mine cars were parked” (alternately, though somewhat awkwardly, “My and his cars were parked” instead of “Mine and his cars were parked”). Similarly, “They liked his and my food” is correct where “The liked his and mine food” is not. Where “mine” is correct, it is rarely combined due to its usage: “it was mine and his” (or “it was his and mine”) is usually just written as “it was ours”. Note, this can also be applied to the other forms as well: “We saw the movie”, “You saw us”, “Our cars were parked”, and “They liked our food”.

i.e.: e.g.

To avoid looking foolish, it is a good idea to learn to properly use the Latin abbreviations eg and ie. Think about what they mean, does the sentence sound right when you replace them with their English meanings?

AbbrLatinEnglish
EGExempli GratiaFor Example
IEId EstThat Is
  

Use a web-browser, eg: IE, FireFox, Opera.
Use a web-browser, for example: IE, FireFox, Opera.
Use a web-browser, that is, IE, FireFox, Opera.

He ruined the project, ie, he couldn’t finish it on time.
He ruined the project, that is, he couldn’t finish it on time.
He ruined the project, for example: he couldn’t finish it on time.

It is not difficult to use them properly when you know what they mean.

Self-Viewing Data Files

This article shows one way of creating self-viewing data files. Examples of such things include self-extracting archives and self-playing videos. Self-viewing data files are executable files that put the data and the viewing program together in a nice neat little packa-ge.

This will require two programs, the player and the creator. The player will be embedded as a resource inside the creator. The creator extracts the player (aka the “stub”) and saves it as the target file, then embeds the data file in that as a resource. The player, when run will read the data file from it’s resources and display it.

To accomplish this, there will need to be a few functions that access or manipulate resources. Here are the ones required and who the onus falls on:

StepFunctionResponsible
1Insert  viewing program as   resource into creator program   You, programmer
2Extract viewing program from resource and save to file       Creator program
3Insert  data file       as   resource into viewing program   Creator program
4Extract data file       from resource and save to file/displayViewing program

The obvious way to do this is to use the native resource functions. Unfortunately, the functions for updating resources is not available for Win9x systems, only the ones for reading them are. There is a way to add the missing support by using the MSLU but that adds to the size and requires including a DLL with the program. An easy alternative is to manually handle the “resources” by injecting them in and extracting them from the stub. This is the method used in this article. We’ll break down the work into the separate programs. First the player.

The Player (stub.exe)

Step 4
The viewing application (the stub) will need to be able to extract the data from itself. The data will be located at the end of the executable, followed by the size of the data (so that we know how much data there is), and finally a signature. Here is some (surprisingly) simple code—sans error checking—to read a chunk of plain text:

void ReadResource() {
    CFile f;
    DWORD sig =0;
    LONGLONG size =0;
    CString t =_T("");
    //open itself for reading
    if (f.Open(__argv[0], CFile::modeRead)) {
        //read the last 4 bytes of the file and check if it is the signature
        f.Seek(-((LONGLONG)sizeof(sig)), f.end);
        f.Read(&sig;, sizeof(sig));
        if (sig==0x12344321) {
            //read the size
            f.Seek(-((LONGLONG)(sizeof(size)+sizeof(sig))), f.end);
            f.Read(&size;, sizeof(size));
            if (size) {
                //seek to the start of the data
                f.Seek(-((LONGLONG)(size+sizeof(size)+sizeof(sig))), f.end);
                //allocate a buffer for the data and read it
                f.Read(t.GetBufferSetLength((UINT)size), (UINT)size);
                //display the read data in the edit control
                GetDlgItem(IDC_EDIT1)->SetWindowText(t);
            }
        }
        f.Close();
    }
}

Other types of data can be read in the same manner.

The Creator (create.exe)

Step 2
We can use the same technique as above to read the stub from the end of the creator program, but here is a way to do it with the normal method of using resources (which is supported):

//search for and locate the stub resource
HRSRC shstub=FindResource(NULL, MAKEINTRESOURCE(IDR_STUB), _T("BIN"));
if (shstub) {
    //verify the size of the stub
    DWORD rs=SizeofResource(NULL, shstub);
    if (rs) {
        //load the stub resource
        HGLOBAL hstub=LoadResource(NULL, shstub);
        if (hstub) {
            //lock the stub resource to get a pointer to it's first byte
            BYTE* stub=(BYTE*)LockResource(hstub);
            if (stub) {
                //create an executable file
                CFile stubf;
                if (stubf.Open("stub.exe", CFile::modeCreate|CFile::modeWrite)) {
                    //copy the stub to the file
                    stubf.Write(stub, rs);
                    stubf.Close();
                }
                UnlockResource(hstub);
            }
        }
    }
}

Step 3
The stub is now written to the disk but is just a viewer. We have to inject the data file for it to display:

//get the data to be injected (simple edit box in this case)
UpdateData();
CString  t =::GetWindowText(GetDlgItem(IDC_EDIT1));

CFile    f;
LONGLONG size=0;
DWORD    sig =0;

//open the player file
if (f.Open("myfile.exe", CFile::modeReadWrite)) {
    //we need to check if there's already something there
    //read the last 4 bytes from the player file and check if it's a signature
    f.Seek(-((LONGLONG)sizeof(sig)), f.end);
    f.Read(&sig;, sizeof(sig));
    if (sig ==0x12344321) {
        //there's already a resource there, so we'll have to replace it
        //read the size of the existing resource
        f.Seek(-((LONGLONG)(sizeof(size)+sizeof(sig))), f.end);
        f.Read(&size;, sizeof(size));
        if (size) {
            //add the size of the size and signature
            size+=sizeof(size)+sizeof(sig);
            //truncate the file, leaving just the stub
            f.SetLength(f.GetLength()-size);
        }
    }

    //seek to the end of the file
    f.Seek(0, f.end);
    size=t.GetLength();
    //write the data file to the stub
    f.Write(t.GetBuffer(), (UINT)size);
    //write the size of the data
    f.Write(&size;, sizeof(size));
    //write the signature
    sig=0x12344321;
    f.Write(&sig;, sizeof(sig));

    f.Close();
}

Step 1
Finally, we need to insert the stub into the creator program. If you are using the resource method, then it can be added as any other resource, making sure to use type BIN and using stub.exe as the source. If you are using the manual method, then you will need to manually append stub.exe to creator.exe, add the size of stub.exe, then the signature.

Now, just compile stub.exe, then creator.exe. Run the creator program and create some data. Click the export player button, and select the filename to save. The creator will read the stub, save it to disk, and inject the data. Now run the self-contained data/viewer file. It will extract the data from itself and display it.

Note: there are a couple of drawbacks to using this method. First, while it works, it is not part of the PE format standard. Future revisions of the PE format may break this, especially with the crackdown on code execution. Another potential problem is that some virus scanners may detect the modification of an executable as suspicious activity and thus have a bad reaction, causing itchy, watery eyes and a runny nose. The virus scanner can be circumvented however, by writing the stub to a non-executable file (say myfile.bin), then renaming it after the data has been injected.

Quieter, Smoother Computer

Most computers come with fans to keep them running cool enough to avoid problems. Unfortunately, fans have moving parts, move fast, and stir air. All this results in quite a bit of noise which can cause headaches, not to mention being down right annoying. It also causes a lot of vibration which further adds to the noise, headaches, and annoyance. Some people get rid of their fans and use alternative cooling methods, however most of these are just too expensive for the regular computer user, and worse, too complicated. Good computer cases will come with rubber feet instead of the hard plastic ones that cheaper cases have. The rubber feet will absorb the vibrations instead of passing them to the desk, floor, or whatever surface the computer rests on. If your case does not have rubber feet, then you can add them if you are comfortable/able to open the case. If not (or even if your case does have rubber feet), there is a quick, easy, and cheap trick that can help to reduce vibration which will result in less noise and provide quieter, smoother computing environment.

Simply place a couple of foam-rubber mouse-pads beneath the computer. You’ve probably got a few lying around somewhere, or can easily buy a couple for under a dollar. The design does not matter, so you can get generic ones for less. The thick, foam-rubber kind work best, although even the thin rubber kinds are better than nothing. In either case, you just slip in under the computer to cushion it from the desk, making sure that the rubber side faces the computer. Even better, fold it in half (rubber side out), and you’ve got a vibration damping, noise canceling, double-cushioned, non-slip shim between the computer and the desk.

*UPDATE*
Here is a blog entry which says pretty much the same thing and includes pictures.

Tip: Smooth Mouse Scroll Wheel

Here’s a tip for those with scroll mice. Take the clicker out of the wheel. Scroll mice usually accomplish the clicking of the scroll wheel by means of a spring or metal stick that press inside the wheel. Take this out, the wheel will turn nice and smooth. It may take a little getting used to, but it will soon feel great.

Of course you should realize that the clicking serves a function: to limit the movement of the wheel. If the scroll wheel is too loose, it may spin out of control without it, but normally it won’t. In fact, in some mice, the clicker may cause unwanted scrolling, so removing the clicker will eliminated that.

(The little metal stick inside my mouse broke recently, and I panicked because it was a fairly new, expensive mouse, but before I knew it I was hooked—pun intended. I never want to use a clicker again.)

Outlook Express Folder Compaction Error

If you get the following message for FOLDERS.DBX when trying to “compact all folders” in Outlook Express

The folder is currently in use by Outlook Express or by another application.

there is a simple solution. The error message is deceptive since the actual cause has nothing to do with being in use. The problem occurs when you try to compact all folders and not all folders are actually present on disk. This can happen if a .DBX file got deleted somehow (for example if you decided to save some space by deleting the .DBX files of empty folders.) When OE tries to compact, it checks the folders.dbx file to see what .DBX files to expect, and when it can’t find one, it complains with the inaccurate message above.

The fix is simple, just replace or recreate the files. The easiest way to do this is to simply open the missing folders in OE because it will automatically create a .DBX file if one does not exist.

If you do not know which ones are missing, you can click on “Local Folders”, press the * key on the keypad to expand all branches, then click on each and every folder—you could also use the Down key instead of clicking, but then you have to wait a second on each folder for OE to open them, clicking opens them instantaneously.

After you’ve ensured that all .DBX files exist, you can successfully compact all folders.

Registry Cleaners/Repairers: Caveat Usurpator

The registry is where Windows keeps most of it’s settings. It is also where most programs keep their settings. Ever since it was introduced in Windows 95, it has been a mysterious place where some people have dared to venture in the hopes of finding computing treasure. There are all kinds of articles on how and where to make modifications and tweaks to improve system performance, increase stability, add new features, and other enhancements to the OS.

One aspect of the registry that has been popular is the concept of cleaning or repairing it. The idea that it can get cluttered with traces of old, uninstalled programs, invalid file references, corruption, and manipulation by nasty programs, and that cleaning these out and repairing them, will help a system run better. There is of course truth in this, and making sure that the registry is free of debris is certainly a good thing. Unfortunately, doing so requires some skill and more patience than even the best of us have. It is now a vast storage with more entries than there are stars in the sky. A proper audit would take far too long. As a result, numerous programs have been written to help automate this process. They scan the registry for what they consider to be problems and list them for the user, eager to delete them. Unfortunately, few if any such programs does the job adequately or even properly. Most of them do little more than look for references to files that do not exist. Some will check other components as well, but searching for missing files tends to be the most popular function of these programs.

Modifying the registry is not always as hazardous as some would have you believe. There are plenty of changes that can be done or undone safely. Of course there are some which can make it extremely difficult to fix and can potentially require reinstalling the OS. Making changes to entries without noting what the previous value was, or deleting entries altogether, is an irreparable operation and so must be done carefully. The better cleaner/repair tools will allow you to back up the entries they modify before altering them, but some do not; be vary wary of these.

Another thing to look out for when using a registry cleaner/repair utility is whether or not it provides detailed explanations of the entries it deems problematic. If all it gives is a one-line reason (eg: missing file/invalid entry/etc) or says nothing at all, then you should be extremely careful. A proper utility will give you the option of viewing a thorough explanation of why they flagged an entry as being bad, and what it means. That way you can examine it and determine if it really is a problem or not.

The vast majority of these registry fixing applications return more false positives than they do genuine items to fix. There are numerous reasons why they can report a false positive:

MRUsA lot of apps keep track of files that have been opened with them and often the file no longer exists because they were temporary, moved, renamed, etc. So when the cleaner checks the MRU, it sees a file reference but the file is not there, so it complains.
Variables in filenamesMost of these types of apps are not capable of handling filenames that have variables in their path. For example while %systemroot%\explorer.exe is an existing file, the cleaner will nag that it can’t find it.
Other types of unsupported file pathThese apps usually only support simple filepahts (eg: c:\folder\file.exe) so they choke on other types of filenames like network paths (eg: “\\somecomputer\folder\file.exe”). Services often use this format: “\??\c:\myservice\service.sys” which they can’t read. URLs are another that can’t be checked by them. Some may, but most don’t support relative paths: “system32\blah.exe”.
Empty keysWhen some cleaners find an empty key(s) they figure that it’s just residue from an uninstalled program, and thus obsolete. This may be the case but no necessarily. It could just be that the app has not yet been run since installation, that the app hasn’t had reason to write to it yet, or that it uses the key itself as data: perhaps keeping a version number in the keyname, or using the fact that the key exists at all to indicate that the app is installed. Obviously removing it even though it’s empty, would mess things up.
Hidden/system files/folderSome of these apps are unable to determine if a file or folder exists if it is a hidden or system file/folder even if it does.
Special formatSome programs have entries that are in their own special format (eg: “something”=”c:\blah|The Blah Game|3|always”). These apps won’t be able to parse the value and identify just the file/folder part. (They should not be messing around with things they can’t handle anyway.)
Temp filesThere are often traces of temporary files, Internet caches, etc. left behind for a while. For example a browser may keep a list of it’s temporary files. When the user clears them out, they are still listed until the browser overwrites them with new entries, so the cleaner nags. Of course if the use cleared them through the browser, it should have wiped them from the registry as well, but the user may have manually cleared them or use another tool. In this case it’s perfectly fine since they are temp files, but the registry entries are still there. And, since the cleaner can’t tell the difference between an important file and a temp file, it complains about all.
Icon indexesPlain icon files (icon.ico) have a single icon while DLLs, ICLs, EXEs, and such may have more than one. In this case the specific icon inside is indicated in this manner: “c:\folder\icons.dll,32”. This means that the target is the 32nd icon in the file icons.dll. Almost all of these cleaners are unable to handle this and can’t find the file.

As you can see, the results from these apps are not very reliably and you should be wary of what they report. Not all of the entries they flag will be problems so you should examine them before making any changes. You should be aware that even if you run these programs immediately after a fresh installation of Windows, they will find quite a lot of things to complain about.

That’s not to say that you should not use these programs at all; they definitely have their use, just be careful. The best advice is to limit yourself to items you know for sure are incorrect, such as those for a program you have uninstalled, or for a file you deleted. If you are unsure about something, leave it be at least until after you have looked it up, and always make a backup (export a .REG file) so that you can recover from any mistakes.

Forever Lights: One Caveat

Forever Lights are a great, brilliant invention. In fact, any invention that uses alternative forms of energy are wonderful; hand-cranks, solar cells, magnets. Forever Lights—and their knock-offs—are flashlights which use one or more super-bright white LEDs instead of incandescents, which allow it to create pure, white (or bluish) light that remains cool and does not create heat, while also lasting—for all intents and purposes—forever without fear of burning out. Furthermore, Forever Lights use rechargeable lithium ion batteries instead of single-shot alkalines. Finally, the rechargeable batteries are recharged, not by plugging it into an outlet, but by simply shaking it. They have a powerful magnet inside which when shaken, passes through a tightly coiled wire. The magnetic field from the magnet passing through the coil creates electricity which charges the batteries.

To top it all off, if you get a good one (knock-offs are of poorer quality) they will also be waterproof. This makes these perfect for underwater use like in scuba diving or cave diving. A problem that many divers have feared is their flashlight batteries dying while they are down there (or other cave spelunkers above ground). With this, they just shake it a bit and they’ve got light again; wonderful. Nicer models even allow you to choose from using a single LED for less light up to three for a whole lot of light.

This is truly a brilliant device which uses human power instead of electricity. Another such device I’ve seen use a crank type device. These are great because they do not cost money for electricity or batteries, but also because since they use human power which when combined with the physical law that energy cannot be created or destroyed, just changed in it’s form, means that it is a productive way to burn off some fat.

There is one warning about the Forever Light however. Because they use powerful magnets to create the electricity for the batteries, they cannot be used while working in or around computers, televisions, or any other device that uses magnets itself. You could very well wipe or at least corrupt disks or distort screens. For these tasks, a more traditional form of light is required but for everything else, Forever Lights are marvelous.

No Such Thing As a Complete and Equal List

I have always had trouble with equally balanced lists; probably due to my obsessive compulsive disorder. A couple of years ago, I was auditing a University course (I believe it was a software project management course) when as usual, my mind wandered. After many years of trying to force it, it finally dawned on me that trying to make a perfectly symmetrical and complete list is literally impossible, it cannot be done, ever.

What does a complete list mean? Let’s use an example to define it. A good example is billing. When entertainers perform shows with more than one star, one of them must get “top billing”, that is, one of their names must come before the other; this is just the nature of a list. There is no way to list both names at the same time—just try to tell someone who the stars of the show are by saying both of their names simultaneously; you must say one before the other. Top billing is desirable because it implies importance. As a result, many co-stars end up arguing, even fighting over who gets top billing.

One solution is to give one top-billing, then follow it up by giving the other one top-billing. That way they each get top-billing. This does not work however because now one of them got top-billing first which is itself like saying that that person was more important, which is why they got it first.

You might propose to just balance it out by giving the second person top-billing first, in the next run, followed by the first person, and repeating, but this just ends up repeating itself. Let’s represent this with symbols:

The original list with one name listed first:
AB

The first solution, with the second person getting top-billing, but second:
AB , BA

The second attempt, with the second person getting top-billing first but in the second run:
AB,BA ; BA,AB

The third attempt, the second person gets top billing but again in the second half:
AB,BA;BA,AB – BA,AB;AB,BA

One more try before giving up:
AB,BA;BA,AB-BA,AB;AB,BA * BA,AB;AB,BA-AB,BA;BA,AB

As you can see, once the list has begun and one item is listed before another, there is no way that the list can be completed and symmetrical/balanced; you just get stuck in a recursive loop that grows forever. This is due to the nature of linearity. No matter what you do, A is the first item in the list and always will be! You could reverse the list so that B comes first or append the new items to the front instead of the back, but then we are in the same situation with all the symbols alternating yet never perfect:

AB
BA , AB
AB,BA ; BA,AB
BA,AB;AB,BA – AB,BA;BA,AB
AB,BA;BA,AB-BA,AB;AB,BA * BA,AB;AB,BA-AB,BA;BA,AB

Things get much worse with more than two symbols. The only list(s) that can be perfect are lists with only one symbol: A, AA, AAA, AAAA, and so on.

Unfortunately, there is no way to equally credit two performers, and there is no way to list two equal items. Even if you move into more dimensions there is still no way to present more than one item simultaneously.

Easy Rootkit Detection

An easy way to detect most rootkits is to use an old technology: DOS.

Most (read, pretty much all) rootkits require some sort of file component. In fact all malware requires some sort of file to be loaded to perform it’s malfeasance. This is because malware is just software that does bad things and software means files. Even worms and other memory-resident applications require files at some point. This is why rootkits hijack directory listing commands to hide themselves.

So, how do you find files when they are being hidden? One way is to check the drive at a low-level, viewing the disk directly instead of using a file listing command. You can look at the disk and see if the entries in the cluster match up with the directory listing. This is a common method but has it’s drawbacks. For one thing, a decent rootkit would be able to hijack sector-level disk access and hide it’s entries just as it does with a directory listing command. Another problem is that it is difficult to use and can be unreliable.

Another easy to use method is to get a directory listing from within Windows, then boot into DOS mode and get another one, then compare the two. There are few if any DOS rootkits, but more importantly DOS is a lightweight, easy to control environment that can fit on a single floppy. This is important, because it means that you can ensure the integrity of a DOS boot disk because a minimal system needs just four files taking no more than 200KB. Make sure that the boot disk is reliable by making it from a secure system and then write-protecting it. Another option is to use a CD, for example a Windows 95/98 CD which allow you to boot to DOS.

To check for a Windows rootkit:

  1. Open a command prompt with the cmd command.
  2. Get a directory listing with dir c:\/s/a/o>d:\windir.txt.
  3. Reboot into pure DOS mode (do this ASAP after the previous step.)
  4. Get another directory listing with dir c:\/s/a/o>d:\dosdir.txt.
  5. Compare the two files (eg: WinDiff d:\dosdir.txt d:\windir.txt).

Obviously there will be some differences, since files are normally created, changed, and deleted while shutting down Windows. You’ll have to use your best judgement and possibly a reference or the Internet to determine which files that are different are malicious. To minimize the noise, make sure to clean up any temporary files and such before getting the listing.

If there is no rootkit, then the two listings should be more or less the same. If there is a rootkit present, then the DOS listing will reveal the hidden rootkit files.

One drawback to this method is that the built-in DIR command returns the directory listings in different formats in Windows and DOS. As a result, it will be difficult to do a straight comparison of the two listing files. For example this is a listing made in Windows:


Volume in drive C is C-Windows
Volume Serial Number is 0123-4567

Directory of C:
Mar.03.03 03:03am 233,632 ntldr
Mar.03.03 03:03am 47,580 ntdetect.com
Mar.03.03 03:03am 193 boot.ini
Mar.03.03 03:03am Windows
Mar.03.03 03:03am Program Files
Mar.03.03 03:03am Documents and Settings
3 File(s) 48,638 bytes
3 Dir(s) 123,456,789 bytes free

and the same in DOS (with DOSLFN for long file names on the right):


Volume in drive C is C-WINDOWS
Volume Serial Number is 0123-4567
Directory of C:
NTLDR 233,632 03-03-2003 03:03 ntldr
NTDETECT COM 502 03-03-2003 03:03 ntdetect.com
BOOT INI 502 03-03-2003 03:03 boot.ini
WINDOWS 03-03-2003 03:03 Windows
PROGRA~1 03-03-2003 03:03 Program Files
DOCUME~1 03-03-2003 03:03 Documents and Settings
3 file(s) 48,638 bytes
3 dir(s) 123,456,789 bytes free

The formats are quite different and will require some reworking to make a comparison easy. One solution is to use a third party directory listing program instead of the built-in dir. A third party dir would give the listing in the same format in both Windows and DOS, just make sure that it can list anything, and everything (including hidden files, system files, volumes, etc.)

All software is limited and hackable, and malware is no different. With a little thought and the right tools, even a rootkit can be ferreted out.