Problem with a virus, buffer overrun

[pedro_traveller]

Kimsland, I bought this Vaio in Panama, it came with Windows Vista installed, I do not have any cd to boot. There is Vista and some kind of backup for Vista also but I really would like to skip Vista and go on with Linux/Ubuntu.

 

[kimsland]

You can download Ubuntu in ISO format and then burn to CD and use it straight away.
Strangely, you do not HAVE to install it (as it can run quite easily from CD)

Please give that a go, until you are able to install Xp (it would seem)

 

[pedro_traveller]

I already have it...

But, it was also running as a second option to Vista in beginning and it is comparting some folders, if it would be that easy I would just change to Ubuntu and start using it. But, the virus has also found its way to Ubuntu, so I really really need to format everything, then start again with Ubuntu to have everything cleared first to be sure to handle some valuable information here also.

Xp sure could be another possibility. Does Xp have a format option (even that I have Vista) in its cd? If I borrow one from some friend?

 

[kimsland]

Oh, I see

You could download Gparted to blow away the partition.
And then use Ubuntu as CD boot again.

By the way if you do decide to either format or blow the partition away, you will also remove any Vista recovery partition.

When your computer starts does it show a prompt to go into the recovery (or was that removed when Ubuntu was installed.
Or do you care anyway?

Just use Gparted then Ubuntu live CD

 

[pedro_traveller]

When it starts, there are 1) Ubuntu 2) Ubuntu recovery 3) Vista 4) Vista recovery.

But I guess I prefer delete them once and all, I 'll try this option you gave me. Thanks =)

 

[kimsland]

What about Vista recovery first?

Especially seeming you're blowing it away

 

[pedro_traveller]

I tried it already, the same virus is still there. The most incredible thing here is that not any of the antivirus programs I've tried nor virus databases in internet are able to find this virus, everything is always ok to them, they do not find absolutely anything even that this laptop is full of folders I cannot access. So exactly for that reason I would like to have this laptop completely formatted.

 

[kimsland]

Ok seems a shame

Kill the partition
Install Ubuntu live CD
Run Ubuntu

Seems a shame because:

1. Someone (possible you) set up a good boot loader for you
2. The support is down the drain
3. Vista will be lost (until you purchase a recovery disc - which is a good idea)
4. Many Virus removing Manufactures (ie Symantec) would like to know what you have
5. It will eventually be solved - time permitting
6. It'll be interesting to know what it is!

Just hand in your Laptop to Symantec HQ, and say the worse case ever, please investigate!

Maybe it's in the Linux partition, and that's why we can't get it
Actually that's probably it

 

[pedro_traveller]

Now comes a stupid question... how do I run Gparted, I unpacked it but I cannot find anything to run it...?

Ok, I´ll give it one more day, you had 6 good points there. And I have to sleep a little anyway now.

I'll try both recoveries when I wake up but I am sure the problem will stay.

Does Symantec have an online service or something? There is this little problem that I live in Colombia, I don't think there is Symantec HQ anywhere near If you know some place to contact that they could check this online I could do it. I would gladly give this to them because I really would like to know also what this is and to prevent getting in the future, as it came from limewire as a music video while I was sleeping. It came when Vista was running, so could it still be in Linux?

I'll check this again when I 'll wake up, thank you very much for all this =)

 

[kimsland]

ISO format (on gparted) means you need to burn it to CD
Then it makes a bootable CD
You did download the ISO I hope!

As for the HQ, I'll have a look around
Obviously they have online live scanners, but you don't want that, you want to take it to them

Hey you may have a brand new Virus. It could be named after you, like a new found Star

 

[LookinAround]

WAIT. WAIT. WAIT.

Before you try and reinstall everything.. i checked... and your Antivir also has real-time monitoring and control... Did you uninstalll Spybot? if not, uninstall it. Then open your antivir console (main program) and deactivate monitoring. then reboot. will cross fingers and see what happens.

Edit Added
Plus i think still worth the time for me to look at your Autoruns output without MSConfig being used for startup as it prevents me from seing what the normal startups are. But, is up to you.

 

[kimsland]

I don't understand why stop monitoring again?
Just uninstall AntiVirus all together, and check again
Or install AVG Free Antivirus

 

[LookinAround]

Allow me to use a seperate post to be sure this is noted:

You had some problems reported at the start. Most significant was the buffer overrun as i recall. Are you still having those same problems you reported were occurring at time of first post.

I ask because if those problems have disappeared but the remaining problems all involve denying access rights and registry keys reappearing, etc. AND virus and root-kit scanners are not finding ANYTHING i think is wise to explore that maybe there's a protection software issue involved and not a brand new virus that nothing is detecting and its only behavior is "protecting" things which otherwise aren't causing problems (assuming they;ve gone away)

anyway, my thoughts. depends on what u want to do to fix the computer. Can still look deeper at a couple of things unless you're just ready to nuke it and start over. (and maybe even need that thing working again asap)

 

[LookinAround]

I don't understand why stop monitoring again?

Well, for starters, he's only stopped monitoring SpyBot's TeaTimer function not Antivir

Just uninstall AntiVirus all together, and check again

Huh? He has Antivr Internet Security Suite (maybe even the full featured paid version. i don't know. Do you?) Two choices:

1. Click a toggle button to enable/disable Antivir's Real-Time Monitoring function, vs
2. Go to control panel then Add/Remove and then
   • Proceed to uninstall all of what seems to be a perfectly good software suite
   • When done, put it all back or find something else that replaces the functionality, integrates with his other security components (the first was a "suite" of components from the same mfr), require learning the methods and nuansces of different software when we hadn't seen any evidence his current software is lacking.
   Option 1 seems to make the most sense to me as something to try especially given the effort it requires.

Yes if the Startups automatically re-appear, it's usually a sign of Virus / Trojan issue.

We can also demonstrate what to expect of some protection software products. Spybot doesn't let you change things things either tho it should generate pop-up noitifications to say startup / regsitry changes are being blocked unless the user specifically allows.

 

[pedro_traveller]

Great to have a brand new virus

Spybot is uninstalled. Avira antivirus uninstalled. Downloading AVG free.

I'll be right back when completed and rebooted.

 

[kimsland]

So any other programs in add/remove programs in Control Panel that may be resident protecting? Please remove

AVG is good I feel, make sure you update 3 times in a row after install (this is only done once)
Also make suse you untick, for AVG to start Antivirusing task (this is at end of install)

 

[pedro_traveller]

AVG now installed and running, I did full scan and it found two trojan horses, but not the virus we are trying to remove, seems it is downloading more viruses, those were also in folders in which I had no access.

So the problem continues the same.

I will now concentrate to read all you have written here, run the things you said and then tell you what happened.

By the way, don't you guys ever sleep? Impressive =)

 

[pedro_traveller]

short note here; I tried again startup control panel, everything else is removed that AVG and msconfig. Should I remove Msconfig also? The good thing here is that startups could be removed.

Msconfig and regedit also only show AVG two times and msconfig, nothing more.

New HJT log attached. There are some strange entries now.

 

[pedro_traveller]

Autoruns logs here in two parts, they are still big.

 

[pedro_traveller]

Adsspy log from HJT here.

Sorry that I have to post like this but if not I will surely skip some step.

 

[kimsland]

I'm here, I just haven't read the new log yet (emphasis on HJT log)

Are you saying that Startup Control Panel is now clean ?
And yes put msconfig back to Normal
Which in turn, you may need to run Startup CP again

 

[pedro_traveller]

About the other questions made here;

The problems, buffer overrun and so, they still exist just like in the beginning, apart that there are lots of files and folders made by this virus that I cannot access, they weren't there in the time of my first post.
So it should not be a protection software issue as far as I know. That limewire folder is still there, no access, appears with those popups about buffer overrun.

Also there are minor "side effects" like my mouse having a ghost, moving strange ways sometimes, changing the icon, icon having shadows and so on, also Firefox gets stuck and then changes the order of open pages in internet while for example reading the news. (I get to one page to another without touching anything.) These problems didn't occur in the beginning.

Avira antivir was full version, but now it is gone anyway, I don't care because this virus entered anyway without having clicked anything suspicious.

Well I would like this computer to work asap but if there's still some good ideas I would like to listen before nuking this thing.

 

[pedro_traveller]

Startup Control Panel seems clear now, but the problem still exist. Msconfig normal, though poweriso and programs like that left unticked.

 

[pedro_traveller]

Startup control panel shows these in the HKML/Run log:


!AVG Anti-Spyware

Adobe Reader Speed Launcher

AVG7_CC

ISMBgr.exe (path says it is SONY ISB utility)

MSConfig

NeroFilterCheck

Quick Time Task

SunJavaUpdateSched

SynTPEnh (path says Synaptics\SynTP\SynTPEnh.exe , don't know what that is)

WinAmpAgent

Windows Defender

 

[kimsland]

Actually I don't like C:\Program Files\Sony\Image Converter 3\IcVzMonLauncher.exe (there is a lot of Sony files)
You could change it to IcVzMonLauncher.OLD and see if anything changes

Here's a good one to Disable
How To Disable Desktop Window Manager (DWM)

1- press start
2- type services.msc in the search bar
3- if UAC prompts, press ok
4- scroll down to letter "D" so that you can find "Desktop Window Manager Session Manager"
5- right click on the service and click on "stop"
6- then right click again on the service and choose "properties"
7- on the "general" tab, select startup type as "Disabled"
8- press OK and exit...
9- you will realize the changes just after you do this process
10- just to inform, doing this process causes lack of visuality such as the transparency disappears etc...

This indexing service, can really slow down a computer
Control Panel-->Indexing Options-->Advanced button-->uncheck .XML file extension--> ok

Edit:

This file--> ISMBgr.exe you just posted, is that a spelling mistake? Nothing found on Web on this
(I think yes - just a spelling mistake)

SynTPEnh (path says Synaptics\SynTP\SynTPEnh.exe , don't know what that is)

It's your touchPad driver - please leave it alone
.