Dynamism S5 delivered with viruses?

lrowland · #1 05-28-2009, 06:22 AM

I put a question mark on this becuase I wanted to see if anyone else is seeing what I am seeing. I received my S5 yesterday and promptly did a backup using Clonezilla before I ever even started Windows the first time.

Finally I started everything up and connected a keyboard and mouse to make getting started easier. Then without connecting to any internet connection I tried making changes to the way files were show in the Explorer folders. No matter what I do I cannot get hidden files to show - I checked the box under "Tools->Folder Options->View->Show hidden files and folders" and it reset everytime.

So then I even open regedit and tried changing HKCU\software\microsoft\windows\currentversion\exp lorer\advanced\Folder\Hidden\SHOWALL\CheckedValue to 1. It immediately resets itself to 0!

So after some Googling I determined the likely culprit is a virus "Win32.QQrob-32"! I'm not going on the Internet until I'm free of this. I'll try to install and Antivirus today to see if it finds it.

Sorry to be so long-winded - I was just wondering if anyone else has seen this with a Dynamism delivered S5 (not the ebay one which I hear is also virus-riddled).

Thanks,
Larry

odgnut · #2 05-28-2009, 06:34 AM

I have no problem viewing hidden files by enabling it under folder options. I have also installed and scanned my system with NOD32.

My S5 is one of the first 200 from Dynamism.

hazmat · #3 05-28-2009, 06:49 AM

Are you logged on with admin account or as guest ? That is most likely the issue. Only admin privileged accts can make those changes.

lrowland · #4 05-28-2009, 06:55 AM

Quote:

Originally Posted by hazmat

Are you logged on with admin account or as guest ? That is most likely the issue. Only admin privileged accts can make those changes.

Good question - I just turned it on so it is using the default accoutn of "Owner" which has admin priviledges. I'm installing AVG 8.5 and Spybot now. I looked at the Run entry in the Registry and did not see anything wierd and the Services look ok. There are no odd processes running either.

I was in the second set of S5s and this could be due to something I did but I'm really just using it offline in about as clean a mode as possible.

If I have to I'll just flatten it and put Win7 on there.

Thanks!

lrowland · #5 05-28-2009, 07:02 AM

Interesting - Spybot just found something called "ActMon-Pro" which apparently a keylogger and may be the cause of the problem. At least I'll be able to clean it all up.

I looked at some of the file create dates and they were all created on the drive last week so it was in fact delivered with this installed.

I would highly recommend everyone install anti-virus and anti-spyware as soon as possible on those S5's in the second batch.

Docangle · #6 05-28-2009, 07:26 AM

I also had the Win32.QQrob-32 virus on my unit from Dynamism. I installed Windows 7, so I did not care. That virus causes a bunch of issues and is hard to get rid of, it causes issues with security and admin. rights.

Phen0m · #7 05-28-2009, 08:17 AM

From various threads it seems many people are.. mostly these are ones purchased from ebay though.. strange that dynamism's are infected as well..

I didn't even bother with the default install like most of you.. I cloned with trueimage and installed XPT '05.. no issues thus far excep the damn backlights that don't have an off switch.

lrowland · #8 05-28-2009, 08:35 AM

Quote:

Originally Posted by Docangle

I also had the Win32.QQrob-32 virus on my unit from Dynamism. I installed Windows 7, so I did not care. That virus causes a bunch of issues and is hard to get rid of, it causes issues with security and admin. rights.

Wow, I thought I was really going crazy. Thank you for corroborating the problem. I'll drop Dynamism an email to let them know of the issue. For people that are not techie this would be a nasty little problem they may never even know they have until someone takes all their passwords!

Justinmp · #9 05-28-2009, 12:27 PM

Did you get any extras like office pre-installed on it? Does the factory wipe get rid of it? (Maybe it was a last minute update or something...) maybe Dynamism was picking them up off of ebay to fill orders early LOL

Docangle · #10 05-28-2009, 05:03 PM

As a side note my unit also had the dreaded Kinza.exe Virus as well.

lrowland · #11 05-28-2009, 05:14 PM

Quote:

Originally Posted by Justinmp

Did you get any extras like office pre-installed on it? Does the factory wipe get rid of it? (Maybe it was a last minute update or something...) maybe Dynamism was picking them up off of ebay to fill orders early LOL

Yep, I got Office pre-installed. Also it looks like the version of Windows installed is not a legitimate copy or at least it does not match the key on the back of the unit. It is really not good that Dynamism let that happen - for non-techies this is seriously a bit situation since this particular virus logs keystrokes and sends them off to some bot-receiver in the wild.

I'm having a devil of a time getting rid of it. AVG found it and tried to remove it but it keeps coming back. I also get a error message about not finding boot.vbs on startup (this was one of the infected files).

Still can't set my files to be not hidden. It has become personal now so I'm going to eradicate this friggin virus even if I wind up flattening the machine.

Oh what fun!

I just sent this to Dynamism support after not being able to reach them earlier today by phone:

Quote:

Dear Dynamism –
I received my Viliv S5 Premium and have been working with it for two days.
There is a VERY serious situation that you need to be aware of that I have found. The image delivered to you on these machines has several virus installed out of the box.
I am very technical so I know to look for these and how to fix them but your average user does not know the situation and will be subjected to the keylogging virus Win32.QQrob-32!

You should at least notify purchasers of the S5 of the possibility of this situation. I have posted my findings as well in a public forum I frequent. I have no doubt you did not know about this problem and it occurred in Korea. Having said that you should act quickly to let everyone know. I have a long history with you company (going back to the Libretto 60ct!) and I know you are a good company.

Please my posting and others that have found the same virus:
http://forum.pocketables.net/showthread.php?t=3143

Sincerely,
Larry

lrowland · #12 05-28-2009, 05:25 PM

Quote:

Originally Posted by Docangle

As a side note my unit also had the dreaded Kinza.exe Virus as well.

Yep, I have that file as well - it won't let me delete it though. I think you have to boot into safe mode and delete it.

Does anyone have suggestions on better remover than Spybot, Norton, or AVG? I'll do a step by step document if I can successfully make this thing clean.

SalesGeek · #13 05-28-2009, 05:26 PM

Office did come installed on mine, as well. Did everyone NOT get Word, Excel, Outlook and PP? I had the same issue with the viruses that have been discussed. My feeling is they came from the factory that way, since the boxes and the device were sealed tight as a drum. No tampering observed, from what I could see. Funny though. Please check your USB connections, as they are attempting to get to your MAIN computer. The viruses almost trashed my 16gb USB drive. I got rid of it by totally reformatting the drive. Then I ran Malwarebytes and Avast. So far, so good...

reydemia · #14 05-28-2009, 05:47 PM

A word of advice to everyone with the virus:

1. install AVG
2. boot into safe mode
3. run the avg command line scanner(just run a scan as normal, it will by default resort to the cmd scanner because you are in safe mode)
...this should get rid of the virus because it more than likely not be able to do much while in safe mode
4. if the above didn't work, download and run a program called "Trojan Remover" while in safe mode(trial download here: http://www.majorgeeks.com/Trojan_Remover_d903.html)
...this should find and allow you to get rid of the virus. I know the virus is a keylogger, but I am almost positive it is a trojan, which the above program is VERY good at getting rid of.

I fix people's computers all of the time, most virus you can only get rid of via safe mode if they were acquired before the pc was protected by an anti-virus. So please try the steps above and tell us your results. I would do so myself, but I do not have my S5 yet.

P.S. - here's our big one up on why the latest shipment of S5's were delayed...Viliv obviously realized this problem and quickly began reinstalling clean copies.

lrowland · #15 05-28-2009, 06:03 PM

reydemia,
Thank you for helping out with the step by step. That is the first I've seen the Trojan Remover but I can report that both it and MalwareBytes (thanks Salesgeek!) do in fact work and are safe. They cleaned up the script error and Kinza.

I agree this would explain the delay and that Dynamism is not to blame for this. However, Dynamism has an absolute obligation to let their customers know of this situation and every hour that goes by without them responding is just making them look bad.