cyberfish

I am dealing with a strange what-I-suspect-to-be-virus and could use some help. I have been spoiled by Linux for so long that I am clueless with virii now.

The machine is a cheap prebuilt Acer branded Pentium D 3ghz with SiS chipset. Running Windoze XP.

The machine has been used primarily for word processing and web surfing for the past 1 year.

The symptoms -
Upon booting, a few dialogues pop up, saying "Memory cannot be "read"". Name of the binary is different every time (that's why I suspect it to be a virus).

I formatted (quick option) the drive, and reinstalled Windows XP SP2 using a trusted media (XP CD with slipstreamed SP2 that I have been using for years). The problem remains upon the first boot.

I do have a second partition that I kept my data in, which might have carried the virus over, but I haven't accessed it since reformatting.

I have not installed anything yet. It was the very very first boot, not even drivers, and the dialogue shows up immediately after I log in.

The computer functions normally otherwise.

Suggestions?

Thanks

Elysia

Check your startup list and untick any programs you don't know.
Most of the times, this is a harmless message about a program screwing up and thus being closed by Windows.

__________________
Using: Microsoft Windows™ 7 Professional (x64), Microsoft Visual Studio™ 2008 Team System
I dedicated my life to helping others. This is only a small sample of what they said:
"Thanks Elysia. You're a programming master! How the hell do you know every thing?"
Quoted... at least once.

Greenhorn__

Did you made a (slow) memory check from the BIOS ?

Is it a(n) (old) notebook ? Maybe the memory begins to die, notebooks don't have long life.


Greetz
Greenhorn

matsp

Whilst I agree to some extent with Greenhorn, it may simply be a case of "you need to reseat the memory". Running a memory test (perhaps you can find Linux CDROM with memtest86, or download a CD/Floppy of it from somewhere). It is a thorough memory test that will show if your memory is OK or not. If it's OK then it's likely something else that has gone wrong. If it shows errors, it may be time to open the machine up and unplug the memories and plug them back in.

Memory chips in themselves should last tens of years, but the connections can go old.

--
Mats

__________________
Compilers can produce warnings - make the compiler programmers happy: Use them!
Please don't PM me for help - and no, I don't do help over instant messengers.

cyberfish

Thanks for the suggestions!

Assuming you are referring to "start -> All Programs -> Startup", it's empty.
Hopefully that is the case. Seems strange, though. It's a fresh install.

It's a one-year old desktop. Could be that it's cheaply built, though, as it's a prebuilt machine. I usually build my machines myself.

I will try memtest86. It's Orthos (prime95) blend test stable for 8 hours, though.

I have ran SeaTools full disk surface scan on the Seagate harddrive, too.

Elysia

I mean check ALL startup programs. You know Windows is too complex for its own good
Use the msconfig utility to find and disable startup programs or alternatively some 3rd party utility.

__________________
Using: Microsoft Windows™ 7 Professional (x64), Microsoft Visual Studio™ 2008 Team System
I dedicated my life to helping others. This is only a small sample of what they said:
"Thanks Elysia. You're a programming master! How the hell do you know every thing?"
Quoted... at least once.

cyberfish

That's it! Thanks so much.

There are two binaries in the startup list, jvvo and kxvo.

Googling reveals that they are virii spread by USB drives. I happen to have one attached .

It's still strange, though. How did ANYTHING on the USB get run without me accessing the USB drive at all?

cyberfish

Googling revealed something even crazier.

Apparently the virus creates an autorun.inf and a downloader on the USB drive.

Upon attaching the USB drive, autorun gets executed and runs the downloader which downloads (from the USB drive or internet) and installs the virus.

Hmm. Microsoft? User friendliness comes first?

Sometimes it really puzzles me how Windows can survive so long and so popular being so insecure. This is beyond poor design - running anything on a USB drive upon attaching? Even I can write a virus like this, knowing this behaviour of Windoze.

Sorry, just had to let it out .

Greenhorn__

Save the following code as "yxz.reg" and doubleclick it. This will disable autostart from DRIVE_UNKNOWN, DRIVE_REMOVABLE, DRIVE_REMOTE, DRIVE_CDROM.

Greetz

Bubba

In Window's defense security is a bit difficult when 90% of the world's PC's use it. Other OS's have it far easier. Why write a virus for a system that no one uses? I have far fewer complaints about XP having been to Vista and back. XP is a very nice operating system and is very fast save for startup like most Microsoft apps. There are legit complaints about XP but I don't feel yours is one of them. In the end, it is the user's responsiblity to protect their system from threats. I'd rather have XP lean and mean and rely on third party apps to secure my system. Trying to make Windows do everything comes off to me like a video game that wants to do everything. It might be able to do everything but it does nothing well. I'd rather have a few components that do their job very well than ten thousand that just suck.

But there are sooo many tools out there available for free that I have a hard time believing this virus just 'crept' in. Complete scans of your system and carefuly monitoring of what you install and plug into your computer will thwart any virus. I will not use someone else's USB flash drive if they do not have virus software on their computer and if they do not perform regular scans. I deny every application or script that wants to run on a site including possible spyware in ads. Spybot S&D will silently block this stuff and firewalls like Comodo Pro and Zone Alarm will help you guard your system.

I haven't had a virus that actually threatened my PC in years. AVG found one about a month ago while I was browsing gamedev.net and it quickly killed it. Before that time the last serious virus I had was about 4 years ago.

__________________
If you aim at everything you will hit something but you won't know what it is.

cyberfish

I don't think there is any less interest in cracking UNIX than Windows. True, Windows is run on 99% of all computers, but the remaining 1% are the mission critical ones. If equally difficult, I would rather crack a bank server rather than 99 personal computers.

But all virii exploit a bug in the OS (except social engineering ones). If there are no bugs (or if fixed rapidly enough), there won't need to be anti-viruses. Anti-viruses are like third party Windows bug fixing packs. Looking around the computer world, Windows is the only OS in the whole universe that needs a third party program to keep it safe.

Also known as the UNIX philosophy.
http://en.wikipedia.org/wiki/UNIX_ph...NIX_Philosophy

Except in UNIX, when an exploit is found, the OS designers fix the bug, instead of irresponsibly redirecting their users to buy (or get) third party anti-viruses that use pattern matching and heuristics to do damage control.

Sure, but as said above, the fault lies in Windows. Anti-viruses/Anti-Spywares are just damage control devices.

I am not saying Windows can't be safe (which is debatable) with all precautions, regular scans, tweaks, and third party softwares. What I am saying is, why is it necessary?

Compare it to, say, any popular Linux distribution. They are all more secure than necessary for home and small office use out of box. As far as I am aware, all Linux virii are proof of concept ones (that Linux can be infected, too), and there were only a few, the last one couple years ago. Linux people responded by fixing the bugs in the OS, not redirecting users to get third party bugfixes.

zacs7

By that theory it's the OS's fault that you can delete the entire thing, ie "rm -rf /" on Linux.

> But all virii exploit a bug in the OS
That's a huge stereotype. I'd say very, very few exploit the bugs. They usually rely on the user playing a big part, ie how is an virus attachment in an email which, when run emails your private documents away anything to do with an OS bug? And this isn't classed as Social Engineering... What, are programs not supposed to be able to read files? Must be a bug...

> I don't think there is any less interest in cracking UNIX than Windows.
Who said anything about cracking? Windows is targeted because it holds a larger userbase, at least for personal computing. If you're planning to spread ads or havok why would you go for the smaller userbase?

And if you're going to get that technical, there is more 3rd party software in Linux than Windows...

__________________
"I.T. gets the chicky-babes" - M. Kelly
bakefile | vim

Mario F.

Virus writers have been targeting Microsoft operating systems for decades since the DOS days. It won't change if the OS becomes more secure... search google for "Linux virus", and you'll see that malware is being written for Linux too and in great part due to the increased popularity of this operating system.

Every operating system offers it's own approach to security. Windows is no less secure than Linux or Mac. What it does is delegate security to third party tools, some embed on the operating system (windows firewall, user management,...) others made by 3rd party sources.

What you have to reason instead is if a whole blooming market that has been created to support windows security can't handle the amount of threats, what makes you think Microsoft alone could do? There's no magic feature that would suddenly turn Microsoft into a foolproof operating system. Root Access alone is no guarantee of success since that alone doesn't secure against many types of malware... again check google. Besides I'm pretty sure Windows architecture isn't geared towards root and it would be a difficult feature to implement in the presence of the current core. A good example is sad Vista attempt. You can argue that's an example of bad implementation... perhaps. I'd prefer to think instead it's an example of the difficulty of Windows to implement a root-like feature.

One day will come when computer users will realize that part of their tasks to use a computer is to maintain a computer, much like they do with their car. It's not only about pressing the pedal, it's also about regular inspections. Complaining about Windows security when outside the context of a bug, is complaining about our inability to use our computers. Sorry, but that's just the way it is. Every virus that we allow to enter our systems, every hijacker or trojan, every successful hacking, is a written letter to our incompetence first and foremost. And this is like so today as it was 15 years ago. And is true on Windows as it is on any other operating system.

__________________
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.

cyberfish

Sure, if you need to execute the attachment to get infected, I wouldn't blame Windows.
It's a different story, though, if you only need to open the email to get infected. When I open an email, I am not expecting to run anything. It's like you don't expect anything to be run when you enter a drive. Yet, that is what Windows does (autorun).

You have to type and run the command.

I only need to insert the USB disk to run whatever is written in autorun.inf.

Because you get a bigger prize for cracking a bank server than 100 PCs.

Huh?... what does it have to do with this?

I just googled it. All the virii I found require the user to explicitly run an untrusted binary. Not like just inserting a USB drive. And then the virus would perhaps exploit a bug in Linux to get root access. Yes, it would be a bug of Linux, just as Linux developers would openly admit, and be willing to fix.

The whole blooming market cannot support the number of threats because of the fundamental design problems in Windows, making it particularly easy to exploit. Both bugs and "features" like autorun.

The Vista attempt at imitating what UNIX has for decades (sudo) has been a step towards the right direction IMHO. I won't comment on the implementation, because I have not used it extensively.

I think that is because Microsoft is keeping the core design from decades ago, when MS cared nothing about security. I think the only way to make Windows as secure as UNIX would be to rewrite the whole thing from ground up, with security in mind. But of course, that is not possible, as it will break all existing programs, and will be financially suicidal for Microsoft. It's a business afterall. As for why was UNIX designed from day 1 with security in mind, I wouldn't know. I wasn't born at that time.

As for the future, I haven't lived long enough to know. However, as of now, in UNIX/Linux, every exploit is considered a bug, and is fixed by the respective software developer. This approach has been working fine for Linux, and I am sure people want to break into UNIX systems (due to them being mission critical servers) as badly as they want to break into personal computers running Windows.

Bubba

Hehe. If only it were that easy. Sometimes it's not so much of the issue of the bug but the issue of how recurring and how dangerous it is. You very well could waste weeks and weeks of dev time on a bug that might occur 1% of the time. If the bug is a nuisance and not harmful then in my view it's a waste of time to address when there are plenty of other high priority bugs in the line to be fixed.

To get a virus on Windows you must give permission for a file to run, download, etc. Opening an email that has a script in it is pretty much giving it permission. Even then Outlook will warn you and allow you to not allow the script to run. IE also has this feature where you can block scripts from running. And the beautiful thing about autorun is you can shut it off completely from the control panel. I personally have never experienced any issues with autorun and certainly would not put the blame on it for a virus entering my system.

And guess what keeping that core design did for them? It prevented catastrophes like Vista. I'm not so sure they kept the core design from ages ago and from what I know they did quite a bit of restructure and refactor between 95, 98, and XP. Vista looks pretty much like an overhaul and man does it blow chunks. Everything I liked about XP is either missing, doesn't work, or just plain sucks in Vista. My point is this is a big claim unless you have some affiliation with the company or the huge dev team for the OS. I don't know how much they kept and how much they left but I do know that XP is by far the best they have produced to date.

Again we are stuck on this autorun thing. Autorun has nothing to do with the problem. Autorun only runs when a .inf is present meaning you either installed the program in question, copied it piecemeal to your USB drive, or you inserted a CD/DVD. Using autorun to install a virus is a sad attempt in my book since it is so simple to bypass. Hold down left shift and autorun will not execute.

So in the end if you have a virus it's your fault. Blaming the OS won't help matters and it won't help you rid yourself of bad habits that allowed the virus in. Just take it as a learning experience and stop trying to blame the OS. You certainly have not produced any evidence to support your claims that it is the OS's fault you have a virus.

__________________
If you aim at everything you will hit something but you won't know what it is.