Something is changing my .exe files to 0-byte files

Discussion in 'Windows Desktop Systems' started by LoctOut, Sep 22, 2004.

  1. LoctOut

    LoctOut OSNN Addict

    Messages:
    65
    and adding this $$$ebpebpebpebp$$$ to the extentions. ( read.exe becomes read.exe$$$ebpebpebpebp$$$)

    This only happens when I try to install Kaspersky AV version 5. But I know it is a good, clean version. Something is being triggered by the installation of kaspersky. I have Symantec's v 9 corporate instaled and if finds nothing.

    I've checked for hidden data streams (supposedly a vulnerability of NTFS partitions) and found a few which I deleted, but still have the problem.

    I've been messing with this for 2 days now and am at a total loss. It quickly will change .exe, some .rar, and some desktop.ini files. Once written, they can't be deleted. It also adds entries to the registry of .rar$$$ebpebpebpebp$$$ and .exe$$$ebpebpebpebp$$$ as new file types.
     
  2. Tittles

    Tittles Dabba Dooba Political User

    Messages:
    6,344
    Location:
    Muskegon, Michigan
    Download Ad-ware and search for spyware and all that crap. U positive that its clean? Has it always done this or did u just get it?
     
  3. LoctOut

    LoctOut OSNN Addict

    Messages:
    65
    I've already scanned with the latest versions of ad-aware, spybot, spysweeper, hijack this and others. Yes I know it to be a clean version because it installs on other systems just fine. Also scanned with a couple tools for alternate data streams (ADS) which most AV scanners won't detect. Should add I'm using Win XP Pro with SP2
     
  4. Tittles

    Tittles Dabba Dooba Political User

    Messages:
    6,344
    Location:
    Muskegon, Michigan
    Maybe is a software confict or somethin. Sorry i cant help much pretty sure someone will respond soon tho.
     
  5. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    Sounds like a virus .. similiar to this one here. Perhaps try and scan your system with housecall (its free online AV) and see if it finds anything.
     
  6. LoctOut

    LoctOut OSNN Addict

    Messages:
    65
    Xie... nope, not creative. Housecall comes up negative too...... thanks though
     
  7. Tittles

    Tittles Dabba Dooba Political User

    Messages:
    6,344
    Location:
    Muskegon, Michigan
    Man...kinda of a stumber when its not ad-ware or a virus. Its gotta be a virus cause what else would be doin that? I dont think i will be sane again untill i find out whats goin on.
     
  8. Electronic Punk

    Electronic Punk Administrator Staff Member Political User Folding Team

    Messages:
    18,590
    Location:
    Copenhagen, Denmark
    Could you post your hijackthis log, just to be sure.
     
  9. GoNz0

    GoNz0 NTFS Stoner

    Messages:
    2,781
    Location:
    the year 2525
    search the registry for $$$ebpebpebpebp$$$

    find anyhting ?
     
  10. LoctOut

    LoctOut OSNN Addict

    Messages:
    65
    It also adds entries to the registry of .rar$$$ebpebpebpebp$$$ and .exe$$$ebpebpebpebp$$$ as new file types.
     
  11. Maveric169

    Maveric169 The Voices Talk to Me

    Messages:
    1,148
    Location:
    Elkhart, IN
    What about your system processes list? Anything JDLR there? Might try and kill all processes except the system critical ones and see if it still happens. That would at least eleiminate other software so if it still happens you know it is something in windows.
     
  12. dave holbon

    dave holbon Moderator

    Messages:
    1,014
    Location:
    London England
    Somewhere I remember this type of file extension alteration being part of the execution or activation process of various types of virus in an attempt at buffer overflow. This virus has some bugs inherent in its design as it’s failed to patch the executable correctly and write out the code back to the copy which results in zero file sizes with the strange extensions. This could even be a new virus or a corrupted old one either way I doubt if most AVC’s will detect, Kaspersky should though, that is if you can start it. Try running directly from the CD but again can’t remember if you can do this with Kaspersky.

    :) :) :)
     
  13. vision

    vision OSNN One Post Wonder

    Messages:
    1
    $$$ebpebpebpebp$$$

    i am getting the exact same error/problem.
    if anyone has found a solution please post, or email me at daemon7@hushmail.com
     
  14. dave holbon

    dave holbon Moderator

    Messages:
    1,014
    Location:
    London England
    If you’re using Windows XP SR2 firewall, download from the Kasperskey site their 30 day trail of Kasperskey firewall and disable the XP version just before the re-boot.

    Download the latest version of Kasperskey 30 day trail of AVP, un-install the version of Kasperskey (whatever it is) and install the new download version. Re-boot the machine, go to Kasperskey site and update the AVP engine. Re-boot again.

    Do not go on-line. Perform a complete system scan with AVP as this can access all your restore points and other areas of the system you cannot access as it runs in ring one, as a system process, and will catch just about everything possible.

    If no problems are found then I suspect that the files now at zero bytes were themselves viruses or whatever but I know that this is probably not the case, my view is that a virus within a virus, or bug in a virus has caused this. Set Kasperskey to scan at its highest level by selecting, “settings” on the tab and set “configure real time protection” and “on demand scan” to their highest levels, re-boot then perform another full system scan.

    As before hidden partitions on your drive are sometimes prevalent and some sophisticated viruses can produce their own password protected partitions using what is in effect a hand written (miniature operating system itself) partition that no version of windows or Linux are aware of. If this does not work only one path is left, this being to download from the hard drive manufacture the utility that performs a low level format of the drive and has the ability to destroy all partition on it, totally. No operating system can do this, it must be the utility from the hard drive manufacture.
     
  15. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    If all that doesn't work reformat, because you are badly infected.