Do you think I have a virus? Probably not.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I installed what may have been a pirated copy of Visual Studio 2010
Ultimate (is it possible to buy a legal copy of a USD $3000 program
for $5 in Russia?  I guess so, Mr. Customs Officer), and all of a
sudden by system is really sluggish connecting to the internet.  On
the other hand, my antivirus program so far has not detected anything
(Webroot), and in Athens, Greece where I'm posting they have huge
problems with the internet being slow, though now at 3:30 AM it
usually runs fast.

Do you think I have a virus?  Probably not.  But I'll check later
today.  If it's a virus it's one that cannot be detected by Webroot,
which I would imagine is unusual, but maybe they only check for
'typical' viruses.  Luckily I backed up everything before install and
can do a clean reinstall of the HD image file.

One thing a bit suspicious:  I got a request for Verclsid.exe to
connect to the internet after installing VS2010--on the other hand,
the file is 28673 bytes large, which the net says is a 'typical' value
for 93% of all Windows users.  I wonder however if a virus author can
make the file match the 'file size signature' of a clean .exe Windows
System file, and thus fool people.  I guess I can do a checksum using
FastSum 1.6 (a great program), and here it is:

91790D6749EBED90E2C40479C0A91879 *verclsid.exe

Is this file checksum authentic (clean)?  If not please let me know.

RL

Re: Do you think I have a virus? Probably not.

On Sun, 17 Oct 2010 17:40:15 -0700 (PDT), RayLopez99 wrote:

Quoted text here. Click to load it

You are an idiot for installing a cracked program from FSU or
China or wherever in the first place.
If you really need a copy of the program that badly, either buy a
legit copy or get a student friend of yours to buy the educational
version for you. Ethically wrong but still one step above what you
are doing. You probably are a student anyway and not using it for
commercial use so you are reasonably close to fitting the
criteria.
I'll bet you open those emails from Nigeria claiming you just won
a million dollars.

Re: Do you think I have a virus? Probably not.



Glenn Hall wrote:
Quoted text here. Click to load it
I got one for 2/12 million and I only had to send them $250.00 US.
I can hardly wait for their check. NO, it won't be for 2  1/2 million silly,
it will only be for $347,000 US.  :)
Wow, I can hardly wait. I just purchase a new Lexus (I know, but I wanted to
put some in the stock market also).
Keep up the good work!~!!
Buffalo



Re: Do you think I have a virus? Probably not.


Quoted text here. Click to load it

You show your ignorance of Nigeria.  I know of real Nigerian bankers--
they are honest.  Do you know why Nigerian emails always target
finance?  Because next to South Africa, Nigeria has the best bankers
in Africa.  Carrying coals to Newcastle kind of thing.

You seem like a smart fellow rather than a fart smellow:  do you use
Windows?  I hope you're not using that crippleware called Linux.

RL

Re: Do you think I have a virus? Probably not.



RayLopez99 wrote:
Quoted text here. Click to load it


I guess you missed the point and the joke!   :(

"I'll bet you open those emails from Nigeria claiming you just won
a million dollars."



Quoted text here. Click to load it

Buffalo



Re: Do you think I have a virus? Probably not.

wrote:

Quoted text here. Click to load it

Well I may be an idiot in your eyes but I did install Vista on my
other machine with no problems, as well as other programs, from a shop
in Thailand, at $5 a copy.  This one, and all the ones I bought from
Russia, were much worse--none work correctly.  Apparently the Thai
'pirates' are honest; honor amongst thieves?  None of the programs the
Russians sold me work just right (and I'm not talking about detecting
viruses on the DVDs--even the Thais had such viruses, which are easy
to deal with and remove--rather, the programs just don't work
correctly, and may have malware in them).  Now this copy of Visual
Studio 2010 Ultimate seemed to work OK, but during installation it
asked I allow it to connect to the internet.  That was blocked by me,
and then problems began: after reboot, 90% of my internet access was
restricted because some process kept trying to dial out repeatedly.
Interestingly, my firewall shows it was trying, among other sites, to
dial up "badwarebusters.org" and "stopbadware.org" as well as some UK
sites.  These two sites are sponsored by Fortune 500 companies
including Google, to prevent illegal file sharing.  It may be that
this copy of VS was in fact a fake that was sponsored by Microsoft.  I
know that sounds strange, but the music folks have been known to
deliberately allow malware to be distributed in the form of
unauthorized .mp3 files that then screw up your system, which
discourages distribution of such files.

In any case, once I restored my system to an earlier version, prior to
installation of this program, my internet access is back to 100%

A half day lost, nothing more.

Win some, lose some.

At least I'm not a 100% Linux loser.

RL


Re: Do you think I have a virus? Probably not.

RayLopez99 wrote:

Quoted text here. Click to load it

ROFL!
Thank you for that - you made my day!

May I just ask...... were you being extremely witty with your satire, and
pretending to be a Windows user while pointing out all the errors of some
Windows Enthusiasts - or (is it remotely possible?) are you so absolutely
stupid that you were serious in what you wrote????


Re: Do you think I have a virus? Probably not.

RayLopez99 wrote:
Quoted text here. Click to load it

   Unfortunately for us, you were still able to access Usnet with the
other 10%.

Quoted text here. Click to load it

   The funny thing is, whether you spent $3000.00 or $5 - you still got
pwned... but we're the losers?!?!

Quoted text here. Click to load it


--
Norman
Registered Linux user #461062
AMD64X2 6400+ Ubuntu 8.04 64bit

Re: Do you think I have a virus? Probably not.

Glenn Hall wrote:

Quoted text here. Click to load it

*plonk*


Re: Do you think I have a virus? Probably not.


| I installed what may have been a pirated copy of Visual Studio 2010
| Ultimate (is it possible to buy a legal copy of a USD $3000 program
| for $5 in Russia?  I guess so, Mr. Customs Officer), and all of a
| sudden by system is really sluggish connecting to the internet.  On
| the other hand, my antivirus program so far has not detected anything
| (Webroot), and in Athens, Greece where I'm posting they have huge
| problems with the internet being slow, though now at 3:30 AM it
| usually runs fast.

| Do you think I have a virus?  Probably not.  But I'll check later
| today.  If it's a virus it's one that cannot be detected by Webroot,
| which I would imagine is unusual, but maybe they only check for
| 'typical' viruses.  Luckily I backed up everything before install and
| can do a clean reinstall of the HD image file.

| One thing a bit suspicious:  I got a request for Verclsid.exe to
| connect to the internet after installing VS2010--on the other hand,
| the file is 28673 bytes large, which the net says is a 'typical' value
| for 93% of all Windows users.  I wonder however if a virus author can
| make the file match the 'file size signature' of a clean .exe Windows
| System file, and thus fool people.  I guess I can do a checksum using
| FastSum 1.6 (a great program), and here it is:

| 91790D6749EBED90E2C40479C0A91879 *verclsid.exe

| Is this file checksum authentic (clean)?  If not please let me know.

I always seem to have to state, don't assume a "virus".

All viruses are malware but not all malware are viruses and the preponderance of
malware
are trojans, not viruses.

It sure is possible that that pirated copy contains malware.  I have seen so
many forms of
legitimate software re-packaged with malware it isn't funny.

Performing a MD5 checksum on verclsid.exe is insufficient.  They would embed
their malware
into the OS not a legitimate file.

The ONLY valid MD5 checksums would have to be performed on the installers of the
package.

Scanning with just Webroot is also insufficient.  If you suspect that you bought
an
illegitimate, tainted, software you need to use MULTIPLE different vendor's On
Demand
scanners.

comp.os.linux.advocacy  removed as the subject matter is OT for that group as
this is a
Windows application.
I also have to question adding;  alt.comp.hardware.pc-homebuilt  as this is NOT
a hardware
issue.  But I will leave it in the news group D-List.

After all this I have to question your judgment.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think I have a virus? Probably not.

On 10/17/2010 7:40 PM, RayLopez99 wrote:
Quoted text here. Click to load it

Well, I wouldn't get a pirated copy of anything. I think it's dumb of
you to even do it. That's just by take on it. If you can't afford to
purchase VS 2010 Ultimate, then you should be doing the next best thing,
which is to download and install the VS 2010 Express editions. From what
I understand, you are a hobbyist, and you really would have no need for
the professional version of VS 2010. Now, if you can afford to get the
professional version, that is one thing. But if you can't afford it,
then use the free editions and not some pirated copy.

Re: Do you think I have a virus? Probably not.

On Oct 18, 4:17=A0pm, Steel <""Fake99XX1199999fake\"@(Big)
(Steel)theXfactor.com"> wrote:

Quoted text here. Click to load it

It was only $5 bucks though.  And I did order the Pro version today.
The Express versions are always crippled and I try and avoid them.

RL

Re: Do you think I have a virus? Probably not.

Quoted text here. Click to load it

1. There is M$ Visual Studio Express which is free
2. Did you disable your anti-virus scanner when installing that stuff?
3. What anti-virus scanner are you using?
4. A hard disk problem could also cause the system to become sluggish

--
   @~@   Might, Courage, Vision, SINCERITY.
  / v \  Simplicity is Beauty! May the Force and Farce be with you!
/( _ )\ (x86_64 Ubuntu 9.10)  Linux 2.6.35.7
   ^ ^   22:31:01 up 18 days 23:48 1 user load average: 0.00 0.00 0.00
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺!
請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa

Re: Do you think I have a virus? Probably not.

Quoted text here. Click to load it

I know but the functionality of Express versions are always lacking
IMO.

Quoted text here. Click to load it

No--it scanned fine--it actually (using Webroot) took 2 hours for
every file on the DVD to be scanned.  But during installation the
program asked to connect to the internet--pretty standard stuff, but I
did not trust it and blocked it.  It still installed fine, and I
compiled a Hello World program and it worked fine.  But later the
program kept trying to dial out--even when not running--to various
sites. Some sort of clever new virus maybe?  One not recorded yet by
Webroot AV (which is what I use--I think they use a Sophos engine)?

Quoted text here. Click to load it

See above.


No, the problem went away when I restored my old HD image file today.
It was definitely either a new virus or "malware" (crippled version of
Visual Studio 2010 Ultimate, maybe crippled by Microsoft itself).

RL

Re: Do you think I have a virus? Probably not.

Quoted text here. Click to load it

Sure, it depends on worth, not cost. I could pay full price for each of
some program, distribute (sell) modified copies each at a loss, and
recoup my losses in stolen processing power.

[...]

Quoted text here. Click to load it

No, but then I have no information from you either way.

Quoted text here. Click to load it

Yes, probably not.

Quoted text here. Click to load it

Not at all unusual, for *any* antivirus.

Quoted text here. Click to load it

I've never seen any statistics on the detection rate and false positive
rate of AV against "typical" viruses (whatever they are).

Usually, something either is, or is not, a virus - typical or otherwise.
It would depend on the definition being used to determine what is or is
not a virus (specifically, is a worm a virus).

Quoted text here. Click to load it

Always good to have a recovery scheme.

Quoted text here. Click to load it

Sure, it is the nature of some viruses to only infect those program
files that can be infected without changing the file size (cavity
infectors). Some viruses don't even have to make *any* changes to the
host program's file.

[...]

Why the Linux and hardware groups?



Re: Do you think I have a virus? Probably not.

wrote:

Quoted text here. Click to load it

You are either very knowledgeable about viruses, or you're making this
shiite up.

Do you have any references to this?  Or is it based on your experience
as some sort of white hat uber-hacker?

RL

Re: Do you think I have a virus? Probably not.

wrote:

Quoted text here. Click to load it

You are either very knowledgeable about viruses, or you're making this
shiite up.

Do you have any references to this?

***
CIH, notable for its payload, was what is known as a fragmented cavity
infector. If it found that there was enough non-contiguous space in a
program file to accommodate it, it would insert fragments of itself into
those spaces plus the data needed to stitch them back together when it
got executed by its host.

Dir II modified the filesystem so as to have an infected image in
memory, none of the hosts program's files needed to be altered, but the
filesystem itself would attach the code when they were called. There are
other examples of other infection techniques that don't make changes to
host files.
***

[...]






Re: Do you think I have a virus? Probably not.

wrote:

Quoted text here. Click to load it


Well I stand corrected--you are knowledgeable about viruses.  But I
would imagine that a cavity infector would still fail a FastSum
checksum analysis, which looks at more than just the number of bytes.

RL




Re: Do you think I have a virus? Probably not.


| wrote:

Quoted text here. Click to load it




| Well I stand corrected--you are knowledgeable about viruses.  But I
| would imagine that a cavity infector would still fail a FastSum
| checksum analysis, which looks at more than just the number of bytes.

Anytime you mod any file it will change its related MD5 or other checksum value.

That goes for all file infecting viruses and malware that trojanizes legitimate
files.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Do you think I have a virus? Probably not.

wrote:

Quoted text here. Click to load it


Well I stand corrected--you are knowledgeable about viruses.  But I
would imagine that a cavity infector would still fail a FastSum
checksum analysis, which looks at more than just the number of bytes.

***
True, but historically, with very simple checksum algorithms, some
viruses were able to use padding to match them.
http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1_2.html
***



Site Timeline